Fraud on Velocity Frequent Flyer accounts

At least two of the posters here had their email compromised prior to the VFF hack.
I my case, my e-mail was not hacked directly with the e-mail provider. It was only hacked as far as I can see from the Velocity side. ie. they never found out what my e-mail password was. All they got out of Velocity was my actual e-mail address to flood it with spam, which goes to show I presume that Velocity just store member e-mail addresses unencrypted and in plain text on their servers.

You'll never be able to find out any common factor. It could be something as random and out of anyone's control such as all the affected accounts were stored on the same physical server drive in the data centre, and that specific drive is the one the hackers were able to get into before the intrusion was noticed.
 
I my case, my e-mail was not hacked directly with the e-mail provider. It was only hacked as far as I can see from the Velocity side. ie. they never found out what my e-mail password was. All they got out of Velocity was my actual e-mail address to flood it with spam, which goes to show I presume that Velocity just store member e-mail addresses unencrypted and in plain text on their servers.

You'll never be able to find out any common factor. It could be something as random and out of anyone's control such as all the affected accounts were stored on the same physical server drive in the data centre, and that specific drive is the one the hackers were able to get into before the intrusion was noticed.
I thought you were in the same boat but in my case, they had my email address from somewhere (ie me opening a pdf I shouldn't have) and used that to hack my VFF. ie not hacked my VFF to get my email address. Somehow they were able to get access to my VFF, and make changes to contact details, using only my email address. They also spammed everywhere but were successful (to a degree) only with VFF. ie they were unsuccessful elsewhere including mygov. My email address doesn't have a password but it is often the username.
 
Last edited:
No, I've had no intrusion anywhere else, my PC is malware-free and doesn't run any remote access software at all (not even built-in Microsoft nonsense). My router is newly repaired and upgraded and I'm running pfSense firewall. I have no reason to believe they got into my e-mail first and then went for VFF, but much rather the other way around. If they had got into my e-mail, there are bigger targets to aim for from there than VFF.
 
No, I've had no intrusion anywhere else, my PC is malware-free and doesn't run any remote access software at all (not even built-in Microsoft nonsense). My router is newly repaired and upgraded and I'm running pfSense firewall. I have no reason to believe they got into my e-mail first and then went for VFF, but much rather the other way around. If they had got into my e-mail, there are bigger targets to aim for from there than VFF.
My IT dept assured me they hadn't gotten into my email (Outlook, via Microsoft account) as I thought they may have seen emails from Velocity etc with account numbers etc. Fortunately the bigger fish probably has 2FA but the only other hit I got (ie request to change password or OTP request) was from MyGov.
 
Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID? I'm having second thoughts about providing all this sensitive information to a company that's just been or is still being hacked.
 
Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID? I'm having second thoughts about providing all this sensitive information to a company that's just been or is still being hacked.

I don't remember submitting my details to them ever ; did they stay any reason for the 100 pt check.
 
I don't remember submitting my details to them ever ; did they stay any reason for the 100 pt check.
They said that it's required to get my Virgin points account back.

Can you post a screenshot of the email without your personal details?
Not going to post the whole e-mail, but here's the excerpt of that part. I believe it's legitimately from Virgin. The question is, do I risk my personal security to get my points back or do I just let it go?

Velocity believes that incorrect or incomplete information has been provided in connection with the account. Specifically, we have identified the residential address and phone number may be incorrect.

To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following;
  • Your most recent utility bill to confirm the address for your account
  • A current driver’s license or passport
  • Confirm the e-mail address and phone number associated with your Velocity account is correct
 
If you're in one of the numerous hacks of personal information lately (Latitude, Optus, etc), that info is already out there, and you're already at risk. Do you add more risk to that?

But like others have pointed out, Velocity haven't exactly been good with their cybersecurity.

Personally, I don't have that many points in my Velocity account, so I wouldn't bother. It's risk vs reward.
 
They said that it's required to get my Virgin points account back.


Not going to post the whole e-mail, but here's the excerpt of that part. I believe it's legitimately from Virgin. The question is, do I risk my personal security to get my points back or do I just let it go?

Velocity believes that incorrect or incomplete information has been provided in connection with the account. Specifically, we have identified the residential address and phone number may be incorrect.

To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following;
  • Your most recent utility bill to confirm the address for your account
  • A current driver’s license or passport
  • Confirm the e-mail address and phone number associated with your Velocity account is correct
It sounds very suspicious imo.
Bottom line- do not use hyperlinks to access you VFF a/c. Only access directly via VA website
 
They said that it's required to get my Virgin points account back.


Not going to post the whole e-mail, but here's the excerpt of that part. I believe it's legitimately from Virgin. The question is, do I risk my personal security to get my points back or do I just let it go?

Velocity believes that incorrect or incomplete information has been provided in connection with the account. Specifically, we have identified the residential address and phone number may be incorrect.

To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following;
  • Your most recent utility bill to confirm the address for your account
  • A current driver’s license or passport
  • Confirm the e-mail address and phone number associated with your Velocity account is correct
And how, pray tell, is providing a copy of your passport going to help verify residential address or phone number? Neither is contained in the passport details page.

Similarly phone number is not contained on a utilities invoice or drivers license.

Drivers license and utilities bill should be able to confirm residential address.
 
Did anyone else receive an e-mail from Virgin asking to provide 100 points of ID? I'm having second thoughts about providing all this sensitive information to a company that's just been or is still being hacked.
Sounds dodgy.

Others on this thread (from what I have read) who had points stolen were asked to set up a new account then give Velocity the new account details then Velocity would transfer the points to the new account. No one else was asked to send id documents. This could be the scammers??
 
This is the process I gone through after they have finalised the investigation:
-Create new account
-Called velocity, and they confirmed old and new accounts
- Unblocked old account for us the delink flybuys and 7 eleven ( didi will need to contact their support)
- Transfer and merge historical activities to the new account before closing old account. Need to link family pool if you have it setup before.
- Confirm all details looks good on new account before letting me go.
 
Here's a tip if you have to de-link FlyBuys. Only de-link FlyBuys after Velocity has unblocked your compromised account. You basically have to de-link it live while you are on the phone to Velocity and they have temporarily unblocked your compromised account. If you de-link FlyBuys while your Velocity account is blocked, the de-linking will not be recognised by Velocity. I worked this out the hard way.
 
To assist us in trying to resolve this matter as quickly as possible and work towards restoring your membership, please provide the following;
  • Your most recent utility bill to confirm the address for your account
  • A current driver’s license or passport
  • Confirm the e-mail address and phone number associated with your Velocity account is correct
I note that they have spelled licence incorrectly. The spelling they have used is the verb i.e. to license or permit someone to do something e.g. licensed to serve alcohol. Now it may well be the case that this is a genuine email composed by someone less pedantic than me (99% of the population) but that error alone would be a red flag for me.
 
EXCLUSIVE OFFER - Offer expires: 20 Jan 2025

- Earn up to 200,000 bonus Velocity Points*
- Enjoy unlimited complimentary access to Priority Pass lounges worldwide
- Earn up to 3 Citi reward Points per dollar uncapped

*Terms And Conditions Apply

AFF Supporters can remove this and all advertisements

Same issue here. 1.3m points gone, Got an email stating "Your account profile has been updated", tried to log in almost immediately, no luck. Influx of spam. Was able to get in touch with a Velocity agent, of course all my details were changed. Restored access to the account, saw the transaction - redemption to Luxury Escapes. Didn't take the screenshot and now my account is suspended. Spoke to the "manager", usual mantra - 30 business days, no case id, etc.

Good thing is that I managed to catch it almost immediately - Friday evening, another hour or so and no-one will be available; the bad thing is that it was too little late, anyway. Found this treat, looks like I am not the only one. Reported the case to the Cyber Police, oh well.

Wait and see? Or there is something else that I can do?
 
If the password you used for Velocity was not unique, change it anywhere else you might have used that password.

Do you recall a text or email from Velocity recently where you clicked on a link and entered your login details? Might have been phished?

The media should pick this up and call on Velocity to tell us when they will have 2FA in place.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top