What happened
In March 2021 Air New Zealand notified Airpoints members of a credential-stuffing attack in which a third party used stolen credentials from elsewhere to access a number of member accounts [rnz-airnz]. The airline locked affected accounts and forced password resets. The number of accounts accessed was not precisely disclosed and is not estimated here.
Timeline
- 2021-03 โ Air NZ disclosed the Airpoints credential-stuffing attack [rnz-airnz].
Current status
Resolved; affected accounts secured. Figures are as reported. [rnz-airnz]
Why it matters
A classic credential-stuffing case โ reused passwords, not an Air NZ system flaw, were the way in.