kirker

This is a definite first: somebody managed to gain access to my Mileage Plus account on Friday and used it to purchase two tickets on QR! (for 140,000 miles) I received zero email notifications about it, which I'm guessing means the hacker changed my email address prior to making the award booking, but then subsequently changed it back. I also can't access the listed PNR: I'm assuming (especially since it's an international flight) that the ticket was booked under the thief's last name.

Has this ever happened to anyone else before?? (Worst possible timing, too, what with all the Alaska pilots on strike and customer service lines being inundated right now.)

MSPeconomist

The hacker would need to use either his/her own name for the award ticket or (more likely) the name of the passenger who bought the tickets through a mileage broker or other scammer.

flytoeat

Can you see when the flight is scheduled?

notquiteaff

No pilots on strike, they were picketing. But you are still likely facing long hold times. Perhaps also try Twitter DM and chat and ask for a number for the security department. And MileagePlan has separate contact info here (incl. phone and “email” we form). Perhaps they aren’t quite as swamped as reservations?

https://www.alaskaair.com/content/mi...t-mileage-plan

I think when I book a ticket for someone else form my account the PNR appears in My Trips for my account.

Good luck, I think they will make you whole.

samosa

This hacking has happened to me before. They even added a credit card number to the profile. They reset my account, put the miles back in, then said I needed to add a pincode next time or they would not refund the issue in the future. They could not figure out how it happened. The way I found out was due to Awardwallet, as the "hacker" added a new e-mail address for confirmations.

olouie

How do you add a pin code?

samosa

Customer care, the problem is you can't use it online, and can't do much when customer care is closed.

echino

Just happened to me too. I got an alert that my credit card was charged by Alaska. I have my credit card saved in my Alaska account. I logged in to my Alaska account and saw that miles were redeemed for a flight today on Aer Lingus, 2 x 60,000 miles, for names that I don't know. There were no emails from Alaska. I changed my Alaska password right away. Then I received the following email from "Alaska Revenue Protection":

Please call Customer Care at 1-800-654-5669 to verify your Mileage Account. There has been recent activity from your account that we suspect may have been done without your permission.

I called and it was a long hold before I could reach a live person. They put me on hold again, and then came back advising I will receive an email soon asking to send them my DL and PIN. They couldn't tell me if my credit card charged will be refunded, and told me I may need to contact my credit card and report fraud to get those charged removed. I got that email and sent what they asked. Now I cannot log in to my Alaska account. Waiting for the resolution.

Speedbird84

Never understood why they don’t require CVV confirmation when paying with a card saved to your account.

Won’t prevent the miles theft but it seems like a basic and barely inconveniencing way to prevent credit card abuse.

olouie

For those that were hacked? Were you using a unique password for Alaska or reusing passwords?

samosa

I believe reused.

echino

Mine was a unique password. But a very old one, it had not been changed for a long time.

firehawk

So this is interesting.

For some reason, I have been unable to access my Alaska account and every time I requested a password reset or SMS... I never received anything.
After contacting customer support, they said that there is a "misspelling" on the email address - they added an extra letter.

They asked me to confirm some details before enabling the account again and asked me to check the trips/activity.

Sure enough, someone claimed 30K miles for a trip... using ROYAL AIR MAROC!

Never flew them. I am based in the US.

So they said they will credit the miles within 7-10 business days but I don't understand how they were able to get into the account (granted, leaks happen) and reclaim the miles.
Surely all the ticketing information will be taken from the account which would have my name on it? They would have to present some form of ID with the ticket?

Surely there must be a way to pursue the individual since they flew and bought the ticket and bring them "down" in some way when they know they did this illegally? Granted this may not even be possible but I mean... come on. We are always trying to pursue hackers and what not and bring them to justice of sorts. Yes, it's a small thing here in this context but that's besides the point.

Thoughts?

johnnyeisu

That's the problem when sites don't use 2FA. It's a hassle for the user but it guarantees stuff like this doesn't happen. At least you'll get your points back, it'll probably be on them to pursue who essentially stole the points from them and it probably isn't even legally worth it.

notquiteaff

Did you use a strong and unique (across all online accounts you have) password?

Do you use a password manager?

The passenger who flew the stolen flight might not have been the hacker; the hacker could have sold that flight to a 3rd party.