Originally Posted by
hbtr
I checked to see what happens on the web site if you go through the "forgot password" process. It sends a temporary password to the email address in your profile. So, someone could change your password with just your name and FF# (possibly disrupting your access, at least temporarily), but they shouldn't be able to actually get into your AA account unless they can get into your email. It would help if OP clarified whether this is what has been happening - and if thats the case why his email wasn't secured.
It was probably secured using the same Q&A process as every other account...