Account takeovers (ATO) continue to be a major challenge for cybersecurity professionals, fueled by the high resale value of compromised accounts—especially those with valuable rewards points. A new report found that over 6.8 million accounts listed for sale on criminal marketplaces in 2024.
According to the report from KasadaIQ, stolen accounts made up the majority of listings on these marketplaces in Q1 2025. One of the fastest-growing targets is the travel industry, where loyalty and reward programs are particularly lucrative for cybercriminals.
Focus on Frequent Flyers
Observed sales of stolen airline accounts increased by more than a third over the previous quarter, rising to more than 9,200 such ATOs. These accounts are being sold for nearly $30 apiece, with frequent flyer programs remaining high-value targets. Airlines ranked second only to retail as the most lucrative industry for ATO specialists.
Kasada also identified more than 13,000 accommodation and hotel/motel account sales in Q1 2025, with an average sale price of around $4.15 per stolen account. Accounts for hotel chains tend to command higher prices than many other types due to the redeemable rewards points they include. By contrast, homestay service accounts—such as AirBnB—sold for just 50 cents each.
Digging for Points
Rewards points seem to be a key factor attracting criminals. Kasada found that points were the most common feature attached to stolen accounts sold on criminal marketplaces. Criminals use open-source automated tools like OpenBullet not only to compromise dozens of accounts but also to determine how many loyalty points are associated with each one.
This adds value to otherwise innocuous accounts at places like quick-serve restaurants. Criminals can purchase these accounts for around $3.00—less than the cost of a meal. Because the value of each individual account seems small and may go unnoticed, this type of fraud is considered relatively low risk within the hacker community.
“ATO remains one of the financial services industry’s greatest fraud concerns,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Not surprisingly, consumers rarely consider accounts linked to rewards, such as retail and travel, at risk of attack. Because of that, consumers take few measures to ensure they use strong passwords that contain multiple and mixed characters across retail and travel accounts. That makes those types of accounts easy targets for cybercriminals to take over and cash out on.”
