United Airlines spokesman Luke Punzenberger said thieves booked trips or made mileage transactions on up to three dozen accounts. United notified customers in late December, and Punzenberger said the airline would restore miles to anyone who had them stolen.
American Airlines spokeswoman Martha Thomas said that about 10,000 accounts were affected and some have been frozen while the airline and customer set up new accounts, starting with customers who have at least 100,000 miles. She said the airline has learned of two cases in which somebody booked a free trip or upgrade without the account holder's knowledge.
Read MoreKorean Air 'nut rage' executive charged
Thomas said that American would pay for a credit-watch service for one year for affected customers.
Both were quick to say that nobody hacked their systems—that thieves got usernames and passwords somewhere else and tried to use them to log into American's AAdvantage and United's MileagePlus, hoping that the login information would be the same. They said that other information such as entire credit-card numbers was not exposed.
The representatives said they did not know how thieves acquired the usernames and passwords. Thomas said American had referred the matter to the FBI.
Delta Air Lines detected similar attempts to crack into customers' accounts late last year but isn't aware that any were successful, said spokesman Anthony Black. A spokeswoman said Southwest Airlines did not see any such attempts around that time.