Airline and hotel programs have tried to combat account breaches and takeovers for the past few years with limited success.
Some programs utilize Google captchas (Hilton) or your password need to be so complicated that it becomes impossible to remember (Club Carlson). As of today, Hyatt requires you to also input your last name on file when logging in.
Loyalty programs need to be very careful with these password requirements or trying force two-factor authentication like some have tried.
If they make logging in to one’s account too difficult like Club Carlson has made in my case (I cannot log in to my account without consulting my password spreadsheet first), I am less likely book with them on the go or check pricing or room availability.
I do understand, however, that they cannot leave the front door open at the same time for the hackers either.
These hackers weren’t really interested in loyalty accounts before these programs allowed members to turn miles and points to merchandise awards and gift cards. Products that can be easily turned to cold hard cash or Bitcoin.