Any chance you might have used the same log-in for your Alaska account on other sites? There's an article on SF Gate today when an AA flyer lost 138,500 miles, since restored, and suspects the culprits got his log-in information from one of his other accounts.
So how did this happen in the first place?
Here's how Luten summarizes what he thinks happened in
a post about it on his blog: "Hacker found my email address and a password as part of some data breach (like Marriott's). They tried that password in a variety of sites and found that the email/password combo worked with American. They then ran a Craigslist ad or something for cheap car rentals and hotels (with a burner phone, of course), someone paid the hacker cash, hacker made award bookings in that person's name using my miles, and job done. It would be the recipient of the fraudulent award that gets arrested, not the hacker."
https://www.sfgate.com/travel/articl...s-13511459.php
My Alaska log-in is unique to Alaska, but seems like every day we read new stories of database hacks across various web sites ranging from shopping sites to travel sites.