Here's a reminder of why you shouldn't use the same password or login credentials across multiple accounts --even when it comes to frequent flier accounts.
When a hacker manages to successfully steal a password from one account, he or she will test to see if it works elsewhere.
That's what apparently happened in late December when United and American customers had their bonus miles stolen.
American Airlines just started notifying customers Monday that the thieves used customers' frequent flier miles to try to book trips and acquire upgrades on new travel.
Spokeswoman Martha Thomas said that roughly 10,000 customers' accounts were affected and some had their miles frozen while the airline set up new accounts. Customers with US Airways, that merged with American in Dec. 2013 -- were not affected by the online theft.
United Airlines spokesman Luke Punzenberger said thieves booked trips or made mileage transactions on up to three dozen accounts. United notified customers in late December.
American and United both say they plan to restore lost miles to affected accounts. But both airlines were quick to point out that the intrusions were not caused by a data breach, and the usernames and passwords were obtained elsewhere.
"We're still investigating where the user names and passwords came from, but this third party was operating under the assumption that people might be using the same user name and password combinations for multiple accounts,” Thomas said.
American said it will offer free credit monitoring to affected account program participants and will work with federal agents to investigate the manner.
Security experts say that thieves target frequent flier programs not because they need a vacation. It's because these loyalty programs are worth real money and can often be be exchanged for gift cards or cash through legitimate services, such as FlipMyMiles.com.
So, if you have frequent flier account with United, American or any other carrier, for that matter, now is a good time to check your status. And remember to make sure that every password-protected account you have has its own unique password.