Air New Zealand warns of an ongoing credential stuffing attack

Air New Zealand suffered a security breach, multiple customers have been locked out of their accounts after the incident.

Air New Zealand suffered a security breach, threat actors attempted to access customers’ accounts by carrying out credential-stuffing attacks.

What is credential stuffing?

“Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, attackers glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

Air New Zealand chief digital officer Nikhil Ravishankar​ pointed out that threat actors did not hack any company’s systems, but only individual accounts were impacted.

“The breach only occurred with a small number of Air NZ customers, and no fraudulent transactions or sensitive information was accessed by the scammers, he [Ravishankar] said.” reported the website Stuff.co.nz.

“The accounts were locked and customers were contacted to be advised to change their login details before using the Airpoints system again, he said.”

The company is urging customers to change their passwords before using the Airpoints system again and also change their passwords on all accounts that used the same “Air NZ” password.

“This is a common problem where people use the same email address and password for more than one online login and do not update their passwords regularly or utilise features such as multi-factor authentication,” Ravishankar ​added.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Air New Zealand)

[adrotate banner=”5″]

[adrotate banner=”13″]