Yes, indeed, that was what happened - BAEC did the legwork, and did not ask the customer to do anything apart from going through a password reset process.

It is also the case that there are Twitter fraudsters who latch on to complaints made on Twitter, and part of their USP is (a) use WhatsApp to call the BAEC member and (b) invite the user to open a second account. But in this case there is no reference to Twitter and I'm also at a loss to explain what happened here. Well, there's the usual auto-suggest / miscommunication issue, and saying something that sounds about right when the agent doesn't actually know. Overwhelmingly when BA Security is involved the Engagement Centre staff know nothing and can only advise the passenger to use PNR and surname to access bookings (this does not need a new BAEC account) and to wait until Security have completed their work. Usually they are as much in the dark as everyone else.