Well, it finally happened — I fell victim to one of my loyalty program accounts being hacked, specifically my Southwest Rapid Rewards account. On Dec. 3, I received an email from Southwest at 9:30 p.m. EST confirming my hotel reservation at Hampton Inn & Suites Kalamazoo-Oshtemo for a check-in date of Dec. 4 and a checkout date of Dec. 5.
The email stated that 17,100 Southwest points were deducted from my account to book this hotel. According to TPG’s December 2024 valuations, that’s about $240 in value. Initially, I thought this might be a phishing email scam trying to coax me into clicking on the links provided to steal information. Immediately, I logged into my Southwest account to check if the points had been deducted.
Unfortunately, yes, this hacker had used my hard-earned reward points to book a hotel stay.
Here are the steps I took to get my points back and how you can try to prevent hackers from stealing your points and miles.
Related: How to protect yourself against rewards program data breaches
What I did when my Southwest Rapid Rewards account was hacked
After realizing that someone had accessed my Rapid Rewards account, I immediately changed my password to prevent additional points from being used. Next, I called Southwest to inform the airline that my account had been hacked and that my points had been used fraudulently.
Because it was late at night, the Southwest representative informed me that this was a Rapid Rewards issue — she could only assist with flights and not hotel reservations — so I would need to call the phone line for the loyalty program in the morning when it reopened.
However, the Southwest rep told me to call the hotel directly to let them know that this reservation was made because my account had been hacked. Though it would not help me get my points back immediately into my account, it was worth leaving a paper trail of the steps taken to show that this was fraud.
When I called the hotel directly, the front desk employee was extremely apologetic. Though she could not cancel the reservation on her end, she left a detailed note for her manager to give me a call in the morning so he could try to resolve the issue.
Related: How to identify and prevent credit card fraud
Though nothing further could be done that night to get my Southwest points back, I spent the next few hours making sure my loyalty program passwords were updated. While some airlines and hotel programs have employed two-step authentication, others, such as Southwest, have not yet followed suit.
To give myself peace of mind, I decided to change all of my passwords to try to mitigate the risk of my other accounts being hacked and my rewards being stolen using my information.
The next morning, I called Southwest Rapid Rewards and gave the woman a detailed description of what had happened, explaining that I had immediately contacted Southwest, informed the airline of the account hack, called the hotel and changed my account password. The rep told me that she would be filing a report and that someone from Southwest would follow up with me via email regarding my points. She noted several times that it was a good thing I had discovered the hack immediately, as some people don’t realize for months that they have rewards missing from their account.
After I was done speaking with the Southwest rep, the hotel manager gave me a call to let me know that he had received the booking note and he would be canceling the reservation on his end. Because this reservation was booked with points through a third party, he could not give me back my rewards, but again, it showed Southwest that a paper trail was being left to help my case.
Southwest did give me my points back, but …
On Dec. 4, I received an email from a Southwest Rapid Rewards rep telling me that the airline takes “the security of our members’ Rapid Rewards accounts seriously, and we protect our members from fraudulent activity by fortifying your data against a breach.” The email states that Southwest “requires members to enter a password prior to accessing any of their account information,” and they encourage the use of a “strong password.”
The email also cites Southwest’s terms and conditions, noting that the airline is “not responsible for unauthorized access to a member’s account and will not replace stolen points or awards.”
However, as a “gesture of goodwill and one-time exception,” Southwest decided to refund me the 17,100 points.
Aside from being a Rapid Rewards member, I also hold the Southwest Rapid Rewards® Plus Credit Card. I’m not sure if this fact was taken into account when my case was being reviewed.
While I am thankful that Southwest returned my reward points, I can’t help but acknowledge that we live in a digital age in which hackers and scammers work endlessly to access people’s personal account information. Even big corporations have fallen victim to these hacks. For Southwest to rely solely on one password and not an additional step to authenticate the user seems a bit behind the times.
We reached out to Southwest with my experience, and a spokesperson sent us the following statement:
Southwest is committed to protecting our Customers’ accounts with comprehensive cyber security controls. We will continue to enhance our core technology and have implemented a range of proactive and responsive security measures across our platforms.
It’s worth noting that Southwest isn’t alone here, as several other airlines — including American and Frontier — don’t have two-factor authentication options for securing your loyalty account balances.
So, how am I trying to protect my accounts in the wake of this hack?
Related: Understanding 3D credit card security and how it could affect your trips to other countries
Steps to protect your loyalty accounts to safeguard your points and miles
Though these additional steps aren’t guaranteed to protect your personal information and loyalty accounts, they sure won’t hurt.
Change and update your passwords
Whether you’ve been hacked or not, updating your password regularly is a good idea, especially if you haven’t done so in a long time. Additionally, make sure to have different passwords for each of your accounts. If you have one password (or a very similar one) for every account, hackers may easily access all of them.
Set up two-step authentication (when possible)
Nowadays, many airline and hotel loyalty programs offer two-step authentication to help secure your account. The program will typically require an additional code, which will be sent via email, text or through an authentication app such as Google Authenticator.
Get email and/or text alerts
Though no one likes to be inundated with a bunch of emails and/or texts, it’s a good idea to make sure your communication preferences are updated. Most programs will contact you when a booking is made, your points and miles are used or even if your contact information/profile has been updated. This will help you identify fraud early — which can make it easier to resolve.
Because Southwest immediately notified me about my booking — and because I’m someone who frequently checks my emails on my phone — I could contact the proper parties right away, change my account password and resolve the issue.
Related: My AAdvantage account was hacked: Here’s what happened and how you can protect yourself
Bottom line
A hacker recently redeemed more than 17,000 of my Southwest Rapid Rewards points, though I was able to quickly take steps to get them back. Unfortunately, I am not the first — and won’t be the last — points and miles enthusiast to fall victim to an account hack. Earlier this year, TPG managing editor Clint Henderson had almost 400,000 American Airlines AAdvantage miles stolen from his account. Luckily, he too got them back.
But as fraudsters continue to get more clever in their hacking methods, it’s best to be diligent and pay close attention to your personal accounts. Though Southwest refunded me my points, according to their terms, this was not guaranteed and replacement of stolen points is seemingly only approved on a case-by-case basis. Therefore, to ensure you don’t completely lose out on your hard-earned rewards, take additional steps to secure your accounts.
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu