Several misapprehensions in responses on this thread:
1) That the persons traveling are the ones who stole the points. A more professional thief will sell tickets for 25% to 50% under list price, online.
2) The attack was via a password crack. Maybe, but maybe the OP's email was broken into. Another route is having a phone sim cloned. In either case, the password recovery systems are abused to change the password into the account. A much lower chance that it is a Southwest employee that improperly accessed the account.