Amtrak is notifying some customers that their Guest Rewards Accounts have been hacked.
According to a notification letter to the affected individuals, a copy of which was submitted to the state of Massachusetts, no Amtrak systems were compromised in the attacks, as credential stuffing was employed.
As part of such attacks, threat actors leverage username and password combinations obtained from other data breaches, from malware infections, or phishing, in an attempt to gain access to accounts that use the same login credentials.
“We believe that the unauthorized party may have obtained your login credentials from third-party sources. We have no indication that your login credentials were obtained from our systems,” Amtrack says.
The national passenger railroad company says that the attackers started accessing the targeted accounts on May 15, 2024, and that they were evicted on May 18, after the credentials for the compromised accounts were reset.
The attackers, Amtrack says, were seen changing the email addresses for the hacked accounts and accessing profile information, including names, contact details, dates of birth, Amtrak Guest Rewards account numbers, partial credit card numbers and expiration dates, gift card information, and details about transactions and trips.
“Promptly after becoming aware of the issue on May 15, 2024, we began an investigation and took steps to secure your account. We have changed the email address for your Amtrak Guest Rewards account back to your email address and initiated a reset of your account password,” the company says.
Amtrak urges the affected individuals to reset their account passwords and to change the credentials for other online accounts secured with the same or similar usernames and passwords, and to use multi-factor authentication for their Amtrak Guest Rewards accounts.
The impacted individuals are also advised to order free credit reports, to review account statements to discover fraud and identity theft and report such incidents, and to consider placing a fraud alert on their credit files.
What Amtrak did not say was how many individuals might have been affected by the incident. SecurityWeek has emailed the company for additional details and will update this article as soon as a reply arrives.
Related: Okta Warns of Credential Stuffing Attacks Targeting Cross-Origin Authentication
Related: 340,000 Jason’s Deli Customers Potentially Impacted by Credential Stuffing Attack
Related: Over 71k Impacted by Credential Stuffing Attacks on Chick-fil-A Accounts
