Thanks for the warning. Seems to be a regular occurrence though.

Am surprised the system does not send you any warning at any point: assume the hacker manages to login as you. They then change the email address to theirs. Then make the booking, and get the confirmation on their new email.

I would expect that a change in personal data (in this case, email) would result in a confirmation email to your old email address from the system - prompting you to login and check what has happened.

Obviously the system does not do that - despite emailing you for loads of other reasons from booking confirmation, 'prepare to fly in 16 days', you have changed your seat request etc. Odd...