A new exploratory study by cybersecurity experts from NordVPN, conducted in collaboration with the team behind the Saily eSIM, offers a rare glimpse into how airline and hotel loyalty accounts circulate in the darker corners of the internet.

This was not designed as a sweeping industry audit or a headline-grabbing breach report. Instead, it is a focused investigation into loyalty data exposure on the dark web over the past five years. The findings do not claim to represent the entire threat landscape, but they reveal patterns that should make frequent travelers pause and rethink how they protect their accounts.

How the research was conducted

To collect and analyze data, researchers relied on NordStellar, using its Dark Web Search tool combined with AI-driven filtering. The goal was simple in theory but complex in execution: identify meaningful discussions about stolen travel loyalty data and separate them from the overwhelming noise of spam, recycled posts, and scams that dominate dark web forums.

The research unfolded in several stages.

Dark web search setup

AI filtering was used to automatically identify and classify posts potentially related to travel, airlines, hotels, and loyalty programs.

Airline-related analysis

Using keywords such as “travel” and “airline,” researchers isolated 1,045 unique posts that meaningfully discussed airlines and loyalty accounts. To avoid inflated results, multiple mentions of the same airline within a single post were counted only once.

Hotel-related analysis

A similar process was applied using the keyword “hotel.” After filtering and deduplication, 551 unique posts referencing hotel loyalty programs remained.

Leaked travel database listings

To identify posts advertising stolen databases, researchers searched for pricing indicators like “price,” “$,” “USD,” “BTC,” and “XMR,” combined with a database tag. Out of 17,578 initial results, only 29 posts, roughly 0.2 percent, were genuinely related to travel data.

The researchers are clear about one thing. The dark web is fragmented, inconsistent, and often deliberately misleading. These results are best read as directional insights rather than definitive statistics.

A first-class ticket for stolen airline loyalty accounts

One of the clearest signals from the data is just how attractive airline loyalty accounts remain for cybercriminals. Discussions involving American Airlines, Southwest Airlines, Emirates, United Airlines, Alaska Airlines, and Delta Air Lines account for more than half of all airline-related cybercrime discussions observed.

The appeal is straightforward. Loyalty accounts can hold hundreds of thousands of miles, which can be converted into flights, upgrades, or other perks with real-world value. Some sellers openly advertise access to these accounts, often without listing prices. When prices are disclosed, stolen accounts have been offered for as little as $0.75 and as much as $200, depending on the balance and airline.

What is rarely mentioned in these sales pitches is the risk on both sides. Sellers promise “safe flights” or delayed payment, but transactions may involve stolen credit cards or compromised payment methods. That dramatically increases the chance that tickets or upgrades will be flagged, cancelled, or traced back to fraudulent activity.

Most mentioned airlines in dark web discussions

Southwest Airlines (12.2%)
Emirates (11.5%)
United Airlines (11%)
Alaska Airlines (10.4%)
American Airlines (8.9%)
Delta Air Lines (7.3%)
JetBlue (6.5%)
Frontier (5.9%)
British Airways (5.5%)
Spirit Airlines (4.3%)
Lufthansa (3.3%)
Air Canada (2.3%)
China Airlines (2.3%)
Vietnam Airlines (1.9%)

Hotel loyalty data is just as valuable

Airlines are not the only targets. Hotel loyalty programs appear frequently in dark web listings, often bundled inside much larger leaked databases. According to the study, hotel-related posts frequently include full guest profiles alongside loyalty credentials.

Chains such as Hilton, Marriott, and IHG dominate discussions, accounting for 34 percent, 24 percent, and 21 percent of hotel mentions, respectively. Other brands, including Hyatt, Choice Hotels, and MGM Resorts, also appear in posts advertising leaked data.

What makes hotel datasets especially attractive is their depth. Some listings include millions of records, containing names, email addresses, stay histories, and in some cases, passport numbers. High-value databases with particularly sensitive information have reportedly been sold for up to $3,000.

Why loyalty accounts keep getting compromised

The methods behind these compromises are familiar but persistent. Phishing campaigns, credential stuffing attacks, and data breaches remain the primary entry points. Once attackers gain access, loyalty points are easy to monetize. They can be redeemed for gift cards, transferred between accounts, or used to book travel that is later resold.

Because these redemptions often resemble normal customer behavior, fraudulent activity can go unnoticed for weeks. That window is usually enough for criminals to extract value and disappear.

The travel sector remains a high-value target because it combines personal data, payment information, and loyalty currencies that function almost like digital cash.

How travelers can reduce their risk

There is no single fix, but there are practical steps that make a real difference. Strong, unique passwords for every airline and hotel account remain essential, as does enabling multi-factor authentication wherever it is available.

Regularly checking account login histories and point balances can help catch suspicious activity early. Many programs also allow alerts for unusual redemptions, which can be critical when timing determines whether points can be recovered.

When traveling, digital hygiene matters even more. Using a VPN like NordVPN reduces exposure on public networks, while eSIM services such as Saily reduce reliance on unsecured public Wi-Fi altogether.

Conclusion: What this tells us about travel cybercrime

This study aligns closely with broader trends observed by organizations like ENISA, Verizon’s Data Breach Investigations Report, and Have I Been Pwned. Loyalty programs are no longer peripheral targets. They are central assets in the cybercrime economy, valued for their liquidity and the difficulty of tracing abuse in real time.

Compared with financial services, the travel industry still lags in enforcing universal multi-factor authentication and real-time fraud monitoring for loyalty redemptions. That gap is narrowing, but slowly. Airlines and hotel groups are investing more in account protection, yet attackers continue to exploit weaker links such as reused passwords and unsecured travel connections.

For travelers, loyalty points now deserve the same level of protection as bank accounts. They are no longer just perks. They are currency. And as long as they remain valuable, they will remain a target.