Stolen Velocity Points

Fizzydrink on 04/08/2024 - 23:56

Tldr
my velocity points got redemeed without my knowledge. Any one have any luck getting them back?

So, about a week ago, my email suddenly received about 2000 emails if various spam, website sign ups and other random crap.
A quick google suggested it was hacked and flooded as they use this method to cover up that one legit email the hacker looks for.

I changed password and went through, found my Twitter account reset request.
But today I get notified through award wallet, my velocity had dropped 46000 points.
Logging in, someone had a flight from Singapore to Beijing. Can't find any booking references though.

Velocity currently closed so calling tommorow
But has anyone had this, and did you get points back, or is it too bad, stiff poo?

Cheers
Fd

Travel Frequent Flyer Reward Points Velocity Frequent Flyer

Comments

  • holdenmg on 05/08/2024 - 00:07
    +2

    Hey, it happens.

    Read: https://www.finder.com.au/news/findings-virgin-velocity-acco…

    Phone Velocity tomorrow…

    • Fizzydrink on 05/08/2024 - 13:38

      Yeah, i saw that article, gives me hope.
      Velocity has said 30 days. See what happens.

  • Ghost47 on 05/08/2024 - 00:11

    Were you a victim of any of the data breaches out of curiosity?

    • Fizzydrink on 05/08/2024 - 00:22

      Not any that im aware

      • Randxyz123 on 05/08/2024 - 01:21
        +5

        Stick your email in haveibeenpwned

        Make sure you aren’t and don’t need to change any other passwords.

  • SBOB on 05/08/2024 - 07:20

    May I suggest your first action item would be enabling 2fa on your email account.

    • Fizzydrink on 05/08/2024 - 08:01

      Thing is, it does have it???

      Well everytime i login to pc it asks for a code sent to mobile.

      Wonder maybe if they have the recovery email?
      Now i think about it, i got random texts a few months ago, from "Microsoft" saying someones tryi g to get into.it. but given its a yahoo account, i brushed off as scam.

      Velocity doesnt have 2fa for some reason, or the option to enable

  • capslock on 05/08/2024 - 08:03
    +2

    Happened to me last month. My email also got heavily spammed to try and hide the confirmation emails from Velocity. I lost a lot more points than you but all Velocity will say is that it is under investigation and they will get back to me in 30 business days.

    The phone agent and his supervisor didn't sound surprised at all.

    So someone out there has a list of Velocity account numbers and passwords and they are systematically stealing points one account at a time.

    • Fizzydrink on 05/08/2024 - 08:33

      Bummer. Hopefully you get them back…

    • Ghost47 on 05/08/2024 - 14:08

      So someone out there has a list of Velocity account numbers and passwords and they are systematically stealing points one account at a time.

      Went to change my password just now just in case, thanks for the comment.

    • Fizzydrink on 11/09/2024 - 18:24

      Heard anything?

  • johninmelb on 05/08/2024 - 09:06

    Scary stuff. I have just logged in to check my account and all ok. Have now changed the password and set a new security question. Luckily the answer to the question I have chosen is a very obscure word so that might give me some measure of protection. I think my next move is setting up a new email just for subscription things like my ff accounts, everyday rewards, flybuys etc, and not used for anything else.

  • jv on 05/08/2024 - 09:22
    -5

    stiff poo?

    stiff poo

  • Duckie2hh on 05/08/2024 - 10:01

    Any 2FA?

  • theoracle30 on 05/08/2024 - 11:25

    It happened to me a few months back. I didn't get the email spam, though. I saw the points transfer email straight away. They did it at night when Velocity was closed.

    Anyway, my account was placed under investigation. Eventually, I got the points back and was told to make a new account, which they merged.

  • try2bhelpful on 05/08/2024 - 12:36
    +1

    Forgive my ignorance but how do they get away with it? Technically they shouldn’t be able to book a flight in anyone else’s name with someone’s frequent flyer points. If these people actually turn up for the flight it should be pretty easy to nab them.

    Sounds like Virgin needs to tighten up their security processes. Two factor authentication with phones should, definitely, be an option.

    • capslock on 05/08/2024 - 12:59
      +1

      The people taking the flights are probably victims too. The hackers sold them a cheap flight and when they get to the airport they are told their ticket has been cancelled because of fraud.

      • try2bhelpful on 05/08/2024 - 13:02
        +1

        The rules for Velocity points is it can only be yourself or immediate family. The people accepting the points aren’t so much victims as receivers of stolen property.

        • capslock on 05/08/2024 - 13:18
          +1

          There's websites out there claiming they can sell you business class flights for well under market price. The victims pay the hackers cash. The hackers use stolen points to book the flights.

          Also Velocity allows tickets to be booked for anyone. Qantas only allows family.

          • try2bhelpful on 05/08/2024 - 13:29

            @capslock: Can you please provide the link? Everything I see shows family and friends.

            Frankly those third party websites are dodgy, so buying from them should be at your risk.

            Sounds like Velocity needs to tighten their security.

            • capslock on 05/08/2024 - 14:00
              +1

              @try2bhelpful: The T&Cs doesn't say anything about who you can or can't redeem reward seats for so it is assumed that it is for anyone. If you have found T&Cs which says otherwise then feel free to post it.

              The T&C's does say points transfers are for family only but they don't enforce it anyway as that is how my points were stolen.

              • try2bhelpful on 05/08/2024 - 14:33

                @capslock: Sounds like they might have a hole in their process. They should restrict point purchases in the same way they restrict point transfers.

                If they aren’t enforcing their own rules then it, certainly, bolsters the argument they should return points.

                • Autonomic on 05/08/2024 - 14:53
                  +1

                  @try2bhelpful: Why? It's a good thing to be able to book flights for people who aren't family.

                  • try2bhelpful on 05/08/2024 - 15:06
                    -1

                    @Autonomic: Personally I don’t think it is. It exposes a security hole and it would seem to go against the concept of frequent flyer points as a reward to the frequent flyer. The more it becomes transactional the harder it is to find reward flights when you want them.

                    • Autonomic on 05/08/2024 - 18:05
                      +1

                      @try2bhelpful: Sorry, it's absurd. They're my points. I should be able to use them how I want. Restricting the ability to use points to make it "easier" to use is paradoxical or selfish depending on how you want to look at it.

                      • try2bhelpful on 05/08/2024 - 18:22

                        @Autonomic: I don’t agree with my idea being absurd, paradoxical or selfish. I think the rewards should be for the people who are flying, or their families, not to be sold for financial gain. Financial gain subverts what the airlines are trying to achieve. It is why points aren’t meant to be transferred outside families. They are your points there as well but the airlines reserve the right to shutdown your account if you try to sell the points. It seems absurd to be able to buy tickets for strangers but not be able to transfer points to them.

                        We just have different views on what is absurd, paradoxical and selfish.

                        • Autonomic on 05/08/2024 - 20:55

                          @try2bhelpful: You should be allowed to sell points, too. Don't let companies arbitrarily restrict their reward programs. They're already squeezing every dollar from you.

                          • try2bhelpful on 05/08/2024 - 21:15

                            @Autonomic: It is their reward program they set the rules. Personally I’ve done quite well out of the rewards programs. However, if I was setting the rules I would fly first class everywhere all the time. Of course nobody else would ever get a chance.

    • Stewardo on 05/08/2024 - 13:01

      I think the passengers would have been ripped off also. Probably bought cheap flights off hacker posing as a travel agent, who then booked the flights with OPs points.

  • itslittfam on 05/08/2024 - 21:41

    OMG same thing happened to me and Ive been locked out - had 2000 spam emails hit me about a week back. I have over 300k points in my account as well. Ill be calling velocity first thing in the morning but I'm probably expecting the worst :(

  • itslittfam on 06/08/2024 - 08:22

    Just called them. 30 business day investigation begins

    • try2bhelpful on 06/08/2024 - 12:13

      So you had lost points?

      • itslittfam on 06/08/2024 - 12:47

        I called them and they said someone had redeemed points from my account for ANA airlines (wasn't me obviously). But they didn't tell me how much points so will wait and see

        • try2bhelpful on 06/08/2024 - 14:58

          That absolutely sucks. Hope you get all your points back.

          • itslittfam on 06/08/2024 - 18:19

            @try2bhelpful: Velocity security absolutely sucks. No 2FA and apparently you can change email and phone number on the profile without alerting the original email/phone.

  • dazchan on 13/08/2024 - 02:14

    Same scenario just had the same happened to me now at 1AM, email flooded with spam and they've changed my velocity password.
    I've changed my email password now.
    The rouge login came from Malaysia.
    Iv'e spammed the velocity password 3 times to lock the account but who know whats the damage done.
    Will be on the phone to virgin velocity tomorrow morning.

    • dazchan on 13/08/2024 - 08:34

      Update: regained control now with a different email associated. Luckily nothing was taken/used.

      • try2bhelpful on 13/08/2024 - 09:48

        Excellent news. I like the idea of spamming the account to lock it out.

  • Chuppa on 13/08/2024 - 02:17

    No 2FA (or better) on your email accounts?!?!

  • Fizzydrink on 13/08/2024 - 17:35

    Yes i had 2fa. Im wondering if they dont actually have access to account. They just flood it to hide the email.

    Funnily enough, i got an email from velocity to paul, saying account suspended as they look into unusual activity. My names not paul though.

  • whisk on 24/08/2024 - 10:21
    +2

    Thank you to the original poster for the heads-up. This morning, I noticed my email was flooded with spam password resets, and because I had read this post, I immediately checked my Velocity account. Sure enough, someone had stolen 50,200 points for a Qatar Airways flight from Doha to Lagos.

    I contacted Virgin Australia right away, and they've since 'suspended' my account for up to 30 business days while their Investigations Team, who operate Monday to Friday, looks into the matter. (Today is Saturday so it seems these bastards know how to time these hacks!)

    Virgin will also reach out to Qatar Airways to notify them of the fraudulent booking.

    I’ll keep you all updated.

  • Fizzydrink on 13/09/2024 - 11:31
    +3

    Received an email yesterday.

    Velocity have made me change accounts, and transferred everything across to new number,
    Also gave back the 45k of points.

Login or Join to leave a comment
Login Join