US rail service Amtrak is writing to users of its Guest Rewards program to inform them that their data is potentially at risk following a derailment of their individual account security. 
The three-day attack took place between May 15-18. Miscreants were breaking into accounts using valid credentials that were sourced from “third-party sources,” said Amtrak, which added there was no reason to believe its own systems were compromised.
In other words, credential stuffing: That’s where scumbags get hold of people’s usernames and passwords from one compromised database or system, and use them to unlock access to accounts at other places where netizens have reused the same credential combination. That’s why everyone’s encouraged to use unique passwords per account as well as multi-factor authentication.

In this case, some miscreant’s used customer credentials stolen from a non-Amtrak site and tried them against Amtrak accounts, and got into at least some of them.

Amtrak Guest Rewards is a free program available to Americans who actually use the nation’s rail system – the world’s largest rail network of its kind – to get around the country, allowing them to accrue points that can be spent on things like travel upgrades, gift cards, and even Amtrak merch for the most dedicated train fans.
However, the only upgrade coming to affected users now is mandatory multi-factor authentication (MFA) on their accounts, which Amtrak has enabled without the accountholder’s intervention.

It actually sounds more like two-factor authentication (2FA) rather than true MFA, but organizations often prefer to say “MFA” to make it sound more secure.
Amtrak said in a letter [PDF] to affected customers: “As a precaution to improve your account security and prevent unauthorized account access, Amtrak has enabled multifactor authentication on your Amtrak Guest Rewards account. Upon logging into your Amtrak Guest Rewards account, you will be offered a choice to receive a validation code either by email or text. After you receive the code, you enter it into the website or app to complete your login.”
True MFA offers an additional layer of authentication beyond the basic password-and-code-entry system, such as the addition of number matching, biometrics, and location-based measures.

It’s because the amount of data potentially accessed by the attackers includes:

Email addresses, which may have been changed by the attackers

Names

Contact information

Guest Rewards account numbers

Dates of birth

Payment details such as partial credit card numbers and expiration dates

Gift card information such as the card number and PIN

Information about the accountholder’s previous Amtrak journeys

In addition to Amtrak forcibly enabling 2FA on affected accounts, it also forced password resets and changed the email address on the account, presumably because at least in some cases they were changed by the attackers, who haven’t been identified.
“When you reset your Amtrak Guest Rewards account password, use a unique password that is not easy to guess or used for other accounts,” the letter reads. 
“In addition to changing the password to your Amtrak Guest Rewards account, consider changing your credentials for other online accounts for which you use the same or a similar username and password and review those accounts for any suspicious activity.”

Also included in the letter is detailed guidance about next steps and how customers can ensure no fraudulent activity has been taken using their data, with accountholders being offered one free credit report.
The Reg got in touch with Amtrak for further information, including details about how many customers were potentially affected, but it didn’t immediately respond.
The incident marks the second time the rail company’s rewards program has been breached by baddies. Back in 2020, it was forced to pen similar letters to users after accounts were broken into and personal data was accessed. Although, those particular breakins were detected quickly and no financial data was at risk – the only action taken was to block the attackers and reset passwords. ®