Fraud on Velocity Frequent Flyer accounts

[Legoman]

At least two of the posters here had their email compromised prior to the VFF hack.

I my case, my e-mail was not hacked directly with the e-mail provider. It was only hacked as far as I can see from the Velocity side. ie. they never found out what my e-mail password was. All they got out of Velocity was my actual e-mail address to flood it with spam, which goes to show I presume that Velocity just store member e-mail addresses unencrypted and in plain text on their servers.

You'll never be able to find out any common factor. It could be something as random and out of anyone's control such as all the affected accounts were stored on the same physical server drive in the data centre, and that specific drive is the one the hackers were able to get into before the intrusion was noticed.

 

[Happy Dude]

I my case, my e-mail was not hacked directly with the e-mail provider. It was only hacked as far as I can see from the Velocity side. ie. they never found out what my e-mail password was. All they got out of Velocity was my actual e-mail address to flood it with spam, which goes to show I presume that Velocity just store member e-mail addresses unencrypted and in plain text on their servers.

You'll never be able to find out any common factor. It could be something as random and out of anyone's control such as all the affected accounts were stored on the same physical server drive in the data centre, and that specific drive is the one the hackers were able to get into before the intrusion was noticed.

I thought you were in the same boat but in my case, they had my email address from somewhere (ie me opening a pdf I shouldn't have) and used that to hack my VFF. ie not hacked my VFF to get my email address. Somehow they were able to get access to my VFF, and make changes to contact details, using only my email address. They also spammed everywhere but were successful (to a degree) only with VFF. ie they were unsuccessful elsewhere including mygov. My email address doesn't have a password but it is often the username.

 

[Legoman]

No, I've had no intrusion anywhere else, my PC is malware-free and doesn't run any remote access software at all (not even built-in Microsoft nonsense). My router is newly repaired and upgraded and I'm running pfSense firewall. I have no reason to believe they got into my e-mail first and then went for VFF, but much rather the other way around. If they had got into my e-mail, there are bigger targets to aim for from there than VFF.

 

[Happy Dude]

No, I've had no intrusion anywhere else, my PC is malware-free and doesn't run any remote access software at all (not even built-in Microsoft nonsense). My router is newly repaired and upgraded and I'm running pfSense firewall. I have no reason to believe they got into my e-mail first and then went for VFF, but much rather the other way around. If they had got into my e-mail, there are bigger targets to aim for from there than VFF.

My IT dept assured me they hadn't gotten into my email (Outlook, via Microsoft account) as I thought they may have seen emails from Velocity etc with account numbers etc. Fortunately the bigger fish probably has 2FA but the only other hit I got (ie request to change password or OTP request) was from MyGov.

 

[Saslal]

Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID? I'm having second thoughts about providing all this sensitive information to a company that's just been or is still being hacked.

 

[knagelli]

Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID? I'm having second thoughts about providing all this sensitive information to a company that's just been or is still being hacked.

I don't remember submitting my details to them ever ; did they stay any reason for the 100 pt check.

 

[AIRwin]

Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID?

Can you post a screenshot of the email without your personal details?

 

[Saslal]

I don't remember submitting my details to them ever ; did they stay any reason for the 100 pt check.

They said that it's required to get my Virgin points account back.

Can you post a screenshot of the email without your personal details?

Not going to post the whole e-mail, but here's the excerpt of that part. I believe it's legitimately from Virgin. The question is, do I risk my personal security to get my points back or do I just let it go?

Velocity believes that incorrect or incomplete information has been provided in connection with the account. Specifically, we have identified the residential address and phone number may be incorrect. To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following; Your most recent utility bill to confirm the address for your account A current driver’s license or passport Confirm the e-mail address and phone number associated with your Velocity account is correct

 

[Legoman]

No way would I be providing all that info without being very sure of whom I was talking to first given the recent history of fraud

 

[Bolt]

If you're in one of the numerous hacks of personal information lately (Latitude, Optus, etc), that info is already out there, and you're already at risk. Do you add more risk to that?

But like others have pointed out, Velocity haven't exactly been good with their cybersecurity.

Personally, I don't have that many points in my Velocity account, so I wouldn't bother. It's risk vs reward.

 

[Dmac59]

They said that it's required to get my Virgin points account back.


Not going to post the whole e-mail, but here's the excerpt of that part. I believe it's legitimately from Virgin. The question is, do I risk my personal security to get my points back or do I just let it go?

Velocity believes that incorrect or incomplete information has been provided in connection with the account. Specifically, we have identified the residential address and phone number may be incorrect. To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following; Your most recent utility bill to confirm the address for your account A current driver’s license or passport Confirm the e-mail address and phone number associated with your Velocity account is correct

It sounds very suspicious imo.
Bottom line- do not use hyperlinks to access you VFF a/c. Only access directly via VA website

 

[AIRwin]

Not going to post the whole e-mail

What is the sender email address?

 

[NM]

They said that it's required to get my Virgin points account back.


Not going to post the whole e-mail, but here's the excerpt of that part. I believe it's legitimately from Virgin. The question is, do I risk my personal security to get my points back or do I just let it go?

Velocity believes that incorrect or incomplete information has been provided in connection with the account. Specifically, we have identified the residential address and phone number may be incorrect. To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following; Your most recent utility bill to confirm the address for your account A current driver’s license or passport Confirm the e-mail address and phone number associated with your Velocity account is correct

And how, pray tell, is providing a copy of your passport going to help verify residential address or phone number? Neither is contained in the passport details page.

Similarly phone number is not contained on a utilities invoice or drivers license.

Drivers license and utilities bill should be able to confirm residential address.

 

[StayGoldPonyboy]

Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID? I'm having second thoughts about providing all this sensitive information to a company that's just been or is still being hacked.

Sounds dodgy.

Others on this thread (from what I have read) who had points stolen were asked to set up a new account then give Velocity the new account details then Velocity would transfer the points to the new account. No one else was asked to send id documents. This could be the scammers??