Australian Angus Kidman is a frequent flyer points guru. If there's anyone who knows how to earn them, grow them and redeem them, it's him.
But even he wasn't immune to a simple hack a sneaky stranger used to steal almost 47,000 precious points from his account to buy an overseas flight.
Mr Kidman, the editor-in-chief at finder.com.au, is now warning Australians to be careful — frequent flyer points theft is now a thing we should be worried about.
The drama for Mr Kidman started in May when he checked his Virgin Velocity points account and noticed the balance was many thousands short than what he remembered.
He checked the activity list and saw 46,700 points had been redeemed on a one-way Silk Air flight from Singapore to Shenzhen in China. But he hadn't booked that flight — his account had been hacked.
"I was aware for the potential (for points theft) because anything you can log into can be a target for identity theft because it's got your name, address, your date of birth and so on," Mr Kidman told news.com.au.
"And I knew there was an established criminal market onselling stolen frequent flyer points.
"But I hadn't encountered a situation where someone was able to make a booking. That was odd to me."
"The flight would have to have been booked under their name because it was an international flight and they would have needed a passport," Mr Kidman said.
"As far as I could tell, they took the flight.
"They booked it one day and flew the next day, probably to minimise the chance of being caught in between."
Mr Kidman immediately got onto Virgin Australia, which launched an investigation into the theft claim. The company suspended his account and transferred him to a new one. The next month, 46,700 points were returned to his Velocity balance.
"I was reasonably happy with how Virgin handled it," he said. "It was time-consuming but I expected that. And I was happy they were sympathetic and quite clear about what was going to happen and that it might be a long wait.
"I was reasonably confident (Virgin would restore the points) because it was strange booking behaviour and if they went back and looked, they would have seen the flight would have to have been booked by someone reasonably close to Singapore if they took the flight the next day."
SO HOW DID THIS HAPPEN?
Mr Kidman said Virgin wouldn't be drawn on how exactly his account had been hacked, likely to avoid revealing any vulnerabilities that could be exploited by someone else.
And as he had a robust and unique password for his account, he knew it wasn't sloppy security on his part.
So he only has a few theories to explain how it happened.
"There could possibly be some kind of flaw within the system that would let you potentially make a booking without having to log in with a password," he said.
"There's no such thing as a perfect piece of software, so there could be some kind of exploit people are taking advantage of.
"Another cause could be an internal problem — maybe someone who had access on the back-end or a dodgy travel agent. That kind of risk is inherent, I don't think it's a massively common issue but there's obviously potential for misuse."
Mr Kidman said he then found a booking confirmation email for the Silk Air flight, which had been booked on April 25 for the next day. The email had been filtered into his junk mail folder, which is why he didn't know about it sooner.
Mr Kidman said there were a few things people could do to minimise the chance of their points accounts being hacked. The first was to lock down the account with a strong, unique password.
"I have no doubt if it happened to a lot of people, it was because they used the same password across different accounts, such as for their emails or something," he said.
"Don't repeat passwords. I know people struggle with that, but a password manager can help."
He also suggested people set a monthly reminder to log into their frequent flyer account, check their balance and ensure all activity looked normal.
"Lots of us have big points balances, maybe from a big transfer, and those points are real money. People check their bank accounts regularly, and they should do the same with their frequent flyer accounts.
"There might not be anything you can do to stop a flaw in the system, but the sooner you raise an issue the faster it can be fixed."
Mr Kidman also suggested avoiding responding to emails requesting frequent flyer information, as they could be phishing scams.