SINGAPORE – Five KrisFlyer members who had their accounts hacked, resulting in travel miles being transferred out, have had the transactions reversed by Singapore Airlines (SIA).

A spokesman for the airline said on Thursday that the miles have been credited back into the members’ accounts and those affected have been prompted to change their passwords.

Mr Nicholas Ong, who had 170,000 miles transferred out of his account on Oct 15, was relieved over the SIA move.

He first realised his miles were gone when he received a notification that his KrisFlyer account details had been changed. KrisFlyer is the frequent flyer programme of SIA.

The 43-year-old creative consultant said: “It took me about eight years to save all those miles – 170,000 miles are almost enough to redeem two business class tickets to the United States, and I had plans to use it to bring my family on a holiday.”

SIA said between Oct 15 and 18, five KrisFlyer members’ accounts were accessed using e-mail addresses and passwords which the airline suspects were previously compromised on non-SIA Group websites.

The affected account holders were likely using the same compromised usernames and passwords for their KrisFlyer accounts, added the spokesman.

SIA said its investigations revealed unauthorised miles transfers and all five accounts were immediately suspended to prevent further miles usage.

It noted that the successful logins to the KrisFlyer member accounts were not due to a breach of SIA’s IT systems.

“SIA apologises to all affected KrisFlyer members for any inconvenience that this may have caused to them,” added the spokesman.

The airline did not mention how many miles in total were transferred out.

Mr Jesmond Chang, head of corporate communications for Asia-Pacific at cyber-security firm Kaspersky, said passwords may be exposed in various ways: A victim may be targeted by someone he or she knows, or cyber criminals may use a software to run numerous possibilities of password combinations and steal them. Passwords can also be compromised if there is a data breach.

“When cyber-threat actors compromise websites and online accounts, they publish lists of usernames, e-mail addresses and passwords online or on the Dark Web.

“When this happens, they start looking for other accounts that the person is associated with, and once they find the accounts, they can try logging in with the exposed password,” explained Mr Chang.