Amtrak confirms crooks are breaking into accounts using creds swiped from other DBs

US rail service Amtrak is writing to users of its Guest Rewards program to inform them that their data is potentially at risk following a derailment of their individual account security. 

The three-day attack took place between May 15-18. Miscreants were breaking into accounts using valid credentials that were sourced from "third-party sources," said Amtrak, which added there was no reason to believe its own systems were compromised.

In other words, credential stuffing: That's where scumbags get hold of people's usernames and passwords from one compromised database or system, and use them to unlock access to accounts at other places where netizens have reused the same credential combination. That's why everyone's encouraged to use unique passwords per account as well as multi-factor authentication.

In this case, some miscreant's used customer credentials stolen from a non-Amtrak site and tried them against Amtrak accounts, and got into at least some of them.

Amtrak Guest Rewards is a free program available to Americans who actually use the nation's rail system – the world's largest rail network of its kind – to get around the country, allowing them to accrue points that can be spent on things like travel upgrades, gift cards, and even Amtrak merch for the most dedicated train fans.

However, the only upgrade coming to affected users now is mandatory multi-factor authentication (MFA) on their accounts, which Amtrak has enabled without the accountholder's intervention.

It actually sounds more like two-factor authentication (2FA) rather than true MFA, but organizations often prefer to say "MFA" to make it sound more secure.

Amtrak said in a letter [PDF] to affected customers: "As a precaution to improve your account security and prevent unauthorized account access, Amtrak has enabled multifactor authentication on your Amtrak Guest Rewards account. Upon logging into your Amtrak Guest Rewards account, you will be offered a choice to receive a validation code either by email or text. After you receive the code, you enter it into the website or app to complete your login."

True MFA offers an additional layer of authentication beyond the basic password-and-code-entry system, such as the addition of number matching, biometrics, and location-based measures.

It's because the amount of data potentially accessed by the attackers includes:

• Email addresses, which may have been changed by the attackers

• Names

• Contact information

• Guest Rewards account numbers

• Dates of birth

• Payment details such as partial credit card numbers and expiration dates

• Gift card information such as the card number and PIN

• Information about the accountholder's previous Amtrak journeys

In addition to Amtrak forcibly enabling 2FA on affected accounts, it also forced password resets and changed the email address on the account, presumably because at least in some cases they were changed by the attackers, who haven't been identified.

"When you reset your Amtrak Guest Rewards account password, use a unique password that is not easy to guess or used for other accounts," the letter reads. 

"In addition to changing the password to your Amtrak Guest Rewards account, consider changing your credentials for other online accounts for which you use the same or a similar username and password and review those accounts for any suspicious activity."

• Amtrak back on track after server breakdown forces dozens of cancellations
• Feds sue Adobe and execs for stinging subscribers with 'hidden' cancellation fees
• Shoddy infosec costs PwC spinoff and NMA $11.3M in settlement with Uncle Sam
• Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace

Also included in the letter is detailed guidance about next steps and how customers can ensure no fraudulent activity has been taken using their data, with accountholders being offered one free credit report.

The Reg got in touch with Amtrak for further information, including details about how many customers were potentially affected, but it didn't immediately respond.

The incident marks the second time the rail company's rewards program has been breached by baddies. Back in 2020, it was forced to pen similar letters to users after accounts were broken into and personal data was accessed. Although, those particular breakins were detected quickly and no financial data was at risk – the only action taken was to block the attackers and reset passwords. ®