NordVPN x Saily study reveals a concerning number of leaked airline and hotel loyalty accounts
The study on stolen loyalty accounts was conducted by NordVPN cybersecurity experts in collaboration with the team behind the Saily eSIM app. It represents a short exploratory study, aimed at loyalty data exposure on the dark web.
To collect and analyze relevant data, researchers used NordStellar’s Dark Web Search tool with AI‑driven filtering techniques. The analysis focused on content posted over the past five years.
The data collection process was carried out in several stages:
- 1.Dark Web search setup. NordStellar’s Dark Web Search feature was used with AI filtering to automatically identify and classify posts potentially related to travel and loyalty program data.
- 2.Analysis of airline-related posts. Researchers searched for the keywords “travel” and “airline” to identify posts discussing loyalty accounts or data breaches involving airlines. Since the raw data contained significant amounts of spam, duplicate entries, and unrelated discussions, an AI‑based model was applied to filter out irrelevant content. In total, 1045 unique posts meaningfully discussing airlines were found. To assess popularity, the frequency of airline mentions was counted across different posts — multiple mentions of the same airline within a single post were counted as one mention.
- 3.Analysis of hotel-related posts. Using the keyword “hotel,” a similar process was repeated to identify discussions about hotel loyalty programs. After filtering and deduplication, 551 unique posts referencing hotels were found.
- 4.Leaked travel databases analysis. To identify posts where travel‑related databases were being sold, researchers looked for the keywords “price,” “$,” “USD,” “BTC,” and “XMR” combined with the built-in DATABASE tag. The initial search returned 17578 posts, many of which were spam or repeated across different forums. After filtering to include only travel‑related entries (e.g., trips, hotels, and other travel data), only 29 posts (approximately equal to 0.2%) remained.
It’s worth mentioning that the dark web data environment is fragmented and inconsistent. Therefore, results should be interpreted as informative takeaways rather than comprehensive statistics.
A first-class ticket for stolen airline loyalty accounts
According to the study data, American Airlines, Southwest, Emirates, United, Alaska, and Delta are among the most commonly discussed airlines on the dark web forums. That accounts for over 54% of all airline-related cybercrime discussions.
The most common discussions regarding these airlines involve the purchase of stolen loyalty program accounts, some with hundreds of thousands of miles accumulated in them. While most sellers do not list their prices, those who share their offers sell stolen loyalty accounts for as little as $0.75 and up to $200.
Stolen accounts allow cybercriminals to book free flights and other perks at the expense of legitimate customers. And although malicious actors sell these accounts with promises that include wording such as “safe flights” or “you pay after,” the transactions for these purchases may be conducted using stolen credit cards and travel accounts. Which means there’s a high chance that buyers will get caught when using tickets or rooms gotten through stolen loyalty accounts.
Statistically, the most mentioned airlines on the dark web include:
- Southwest Airlines (12.2% of all mentions)
- Emirates (11.5%)
- United Airlines (11%)
- Alaska Airlines (10.4%)
- American Airlines (8.9%)
- Delta Airlines (7.3%)
- JetBlue Airlines (6.5%)
- Frontier (5.9%)
- British Airlines (5.5%)
- Spirit Airlines (4.3%)
- Lufthansa (3.3%)
- Air Canada (2.3%)
- China Airlines (2.3%)
- Vietnam Airlines (1.9%)
Luxury suite in the darkest corners of the web
Like airlines, hotel chain names have been spotted on the dark web, too. The study shows evidence that hotel databases traded on the dark web often include not only guest information but also loyalty account details, making them especially popular among cybercriminals. Hotel chains like Hilton, Marriott, and IHG are among the top-mentioned names, with 34%, 24%, and 21% of mentions, respectively.
Choice Hotels, MGM Resorts, and Hyatt have also appeared in dark web posts with links to leaked databases. These collections of data sometimes contain millions of records: names, email addresses, stay histories, and even passport numbers in some cases. Further data analysis shows that leaked databases containing high-value sensitive information can sell for up to $3,000.
Why and how does this happen?
Cybercriminals get loyalty account data using several methods, like phishing scams, data breaches, and credential stuffing attacks. Once criminals get access to an account, they can quickly convert the loyalty points into gift cards, move them to other accounts, or use them for booking flights or hotel stays that they later resell. Because these transactions blend in with normal activity, it can be hard to trace where the points went, making it easy for scammers to cash out without being noticed.
The travel industry is a lucrative target for hackers due to the sensitive personal and financial data they handle. This study suggests that the travel industry may face increasing cyber threats (such as data breaches or credential stuffing) and that the stolen information has a thriving market on the dark web.
How to safeguard yourself
Safeguarding against malicious actors requires some vigilance and effort. In this particular case, using strong, unique passwords for every account and turning on multi-factor authentication is one of the simplest ways to stay protected. However, it’s not the only measure users can take.
Checking an airline or hotel platform account’s login history periodically can save travelers from unpleasant surprises. If any suspicious activity appears, they should immediately change their passwords. Where possible, enabling alerts for unusual point redemptions is also recommended, since responding quickly to fraudulent activity is crucial.
Finally, using a trusted eSIM service and a VPN can add an extra security layers when traveling. VPN services such as NordVPN protect users from unwanted snoopers while browsing in public places. Meanwhile, eSIM providers such as Saily eliminate the need to connect to public Wi-Fi, helping safeguard users’ data while browsing abroad.
(Source : NordVPN/Saily)
newadmin
Vegas’s Billion-Dollar Secrets – What They Don’t Want Tourists to Know
Visit Florida’s New CEO Bryan Griffin Shares His Vision for State Tourism with Graham
Chicago’s Tourism Renaissance: Graham Interviews Kristin Reynolds of Choose Chicago
Graham Talks with Cassandra McCauley of MMGY NextFactor About the Latest Industry Research
Destination International’s Andreas Weissenborn: Research, Advocacy, and Destination Impact
Graham and Don Welsh Discuss the Success of Destinations International’s Annual Conference
Graham and CEO Andre Kiwitz on Ventura Travel’s UK Move and Recruitment for the Role
Brett Laiken and Graham Discuss Florida’s Tourism Momentum and Global Appeal
Graham and Elliot Ferguson on Positioning DC as a Cultural and Inclusive Global Destination
Graham Talks to Fraser Last About His England-to-Ireland Trek for Mental Health Awareness
Kathy Nelson Tells Graham About the Honour of Hosting the World Cup and Kansas City’s Future
Graham McKenzie on Sir Richie Richardson’s Dual Passion for Golf and His Homeland, Antigua
ADS PRO 
Phocuswright reveals the world's largest travel markets in volume in 2025
Cyclone in Sri Lanka had limited effect on tourism in contrary to media reports
Higher departure tax and visa cost, e-arrival card: Japan unleashes the fiscal weapon against tourists
Singapore to forbid entry to undesirable travelers with new no-boarding directive
Euromonitor International unveils world’s top 100 city destinations for 2025