Skip to content

Hackers access Amtrak guest rewards accounts using compromised credentials

  • by
  • 2 min read

US rail company Amtrak is informing its guest rewards account users of a data breach. The accounts were allegedly accessed via previously compromised credentials obtained through “third-party sources”, and Amtrak has no reason to believe its systems have been compromised.

Amtrak’s free guest rewards program allows the network’s users to collect points over their train journeys that can later be used for travel upgrades, gift cards, and even company merch. While these accounts may not seem like much, they’ve leaked information including email addresses, names, contact information, account numbers, dates of birth, payment details including partial credit card numbers and expiration dates, and even information about the account holder’s previous Amtrak journeys to the hackers.

Following the three-day attack between May 15 and 18, Amtrak has now forcibly enabled two-factor authentication on users’ accounts. The railway company is also forcing password and email changes as in some cases the attackers had changed the email addresses of the targeted accounts.

Dark Red Background with Data Breach Glitch Effect

These changes are detailed in a letter that the company sent out to the accountholders stating that it has “enabled multifactor authentication” on user accounts. While Amtrak claims to have enabled multifactor authentication, the implemented method resembles two-factor authentication more, requiring a one-time password sent to the users’ phone number or email address and the account password.

The letter also includes detailed guidance for users to monitor their credit reports and raise alarms if they find anything suspicious. While it’s a norm for companies to provide free credit monitoring services following data breaches, Amtrak’s notification does not mention any such facilities.

This isn’t the first time Amtrak’s guest reward program has been targeted, either. The company faced a similar attack back in 2020, in which user accounts were compromised and sensitive data was accessed. That said, this attack has leaked more data than the previous one, as the earlier break-in was detected quickly, and no financial data was at risk.

In the News: NAPM calls for policing reforms in Telangana to address surveillance

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: