My Alaska Airlines Mileage Plan account was compromised, but when I contacted the airline to correct it, I was shocked by the response.
If you are considering booking travel or signing up for a new credit card please click here. Both support LiveAndLetsFly.com.
If you haven’t followed us on Facebook or Instagram, add us today.
I’ve Been Saving Them For Years
Alaska Airlines’ Mileage Plan is an incredibly lucrative loyalty program for a few reasons. First, they partner for earning and redeeming with (11) carriers from a combination of Skyteam, Star Alliance, and independent carriers. That’s in addition to (soon) 15 oneworld Alliance members. Second, its redemption rates are below many peers.
While I could credit American flights (now) to Alaska Airlines that hasn’t always been the case, and there are few opportunities to fly the carrier directly from Pittsburgh.
However, over the years I have accrued miles in the program and amassed enough to make a valuable redemption. It’s been around 5-6 years that I started accruing through various random partner flights that made sense to credit to the carrier and transactions. I have a need, a one-way from Europe to the United States that I would like to redeem in business class for three people and an infant. I found the space but then I noticed a problem.
Devastation
Rather than more than 171,000 Mileage Plan miles, my balance showed at just 1,627. My heart sank, I panicked. It was more than just the fact that I couldn’t make my redemption and lost out on thousands, perhaps nearly as much as $10,000 in value if I were to buy the one-way tickets in cash. It felt like someone had been in my home, had gone through my things, and left most of it as they found it, but took this one thing of value and importance.
There are a few quirks about Mileage Plan’s site and one of them is that recent activity doesn’t show anything as a default older than three months. To see more activity, one must select “Filters Applied” and even then, it categorizes earnings first by method (five choices) before a second section offers three, six, 12 and 24 months.
Selecting 24 months revealed that whoever compromised my account booked high end Qatar Airways flights beginning in May of last year. Another significant redemption was made in December. It’s absolutely true that I have not checked this account frequently enough to notice. It’s also true that while I have Award Wallet, I haven’t paid attention and haven’t checked that in some time.
Shame on me.
Something else to consider is that my password still worked. Whoever compromised my account didn’t change my password at all so logging in for my redemption, I was none the wiser and it didn’t set off any alarm bells.
Quick, But Incomplete Resolution
Mileage Plan’s service center for matters of this nature (800-654-5669) is open 7 AM – 7 PM – no time zone or days of the week provided in my communication with the airline. My call was answered by Yolanda and admittedly, she was excellent. One point of concern was that I couldn’t recall my prior address off the top of my head and I had to look it up, but she was fine with this as I had verified the rest of my information but from a social engineering aspect, it felt like my honest recollection issue should have flagged it further for her.
She asked me to send a copy of my ID (passport or driver’s license) to their email address for this purpose. I did so and she verified my information further.
Within ten minutes, all of the stolen miles had been returned to my account, my email address I sent my ID from was my new address and all was well with the world again. I also added a redemption PIN.
But it wasn’t. I gave it about ten minutes for the changes to take hold, the miles appeared in my balance and I needed to tighten up my security and change my password. I couldn’t quickly find a way to determine the email address, phone, or even physical address I have on file with Alaska. However, when I went to reset my password, there it was. The email address and phone number that the perpetrators had changed were still there and hadn’t been updated to my phone number (provided on the call) nor the email (I sent my ID from.)
As such, I couldn’t change my password online, it would just alert the thieves that I was doing so. I had to again call in, authorize myself in, and have it changed over the phone.
By not changing it as agreed, I could have flagged that the miles had been replaced, that I was aware of the security issue and suggested to those that hacked, engineered, or otherwise compromised my account that they book something from the replacement miles right away.
Satisfied Customer
In the end, I am impressed by a few things. While Yolanda didn’t get the email and phone number updated as I had expected, she was really kind, helpful, and patient. And while Alaska Airlines might need to brush up some security protocols, they did the right thing in empowering agents to rectify problems like this without involving a manager, or extensive documentation process.
I remain concerned that I didn’t receive an email from Alaska saying that my details (email and phone number) had been changed initially. Those would have caused me to jump in and alert them of the compromise before any miles were redeemed in the first place and secure my account.
However, in the end, the miles were replaced by a friendly rep capable of solving my problem right away. It’s hard to get mad about that.
Conclusion
It could have been far worse. I could have faced a lengthy process to prove my identity. I had already thought about how Alaska could verify it wasn’t me from the IP address used to purchase the tickets, to unusual travel patterns; we could have looked at when the email address was changed in relation to the first redemption. It’s possible that Alaska would have viewed the transactions as too old to credit back and done nothing at all. But in the end, the airline spared me from any of that. The value from the program remains exceedingly valuable and if anything, it encouraged me to check my accounts more often, update my security, and probably double down on Alaska Airlines in the future. It’s easy to look like a great airline when everything is going right, but when there are challenges like this one, they made it easy to resolve and rose to the occasion.
What do you think? Have you had your account compromised? How was your experience?
So you have not checked the account in 1 year? How are you a points and travel blogger?
this. Kyle claims that these miles are of value, yet doesn’t check them in a year? That isn’t a n00b mistake, that is negligence bordering on ridicule
@arnos grove – I owned my mistake in not checking the balance more regularly. However, I also have miles in about 50 accounts. At what regularity should I check them to keep my blogging card active?
Ever heard of Award Wallet? I understand it helps you keep an eye on multiple accounts at once …
@James – Yes and used to love it and use it all the time. Unfortunately, due to the unusual way some airlines require logins I stopped paying attention to it because there were so many error codes and secondary authorizations that it lost its value for me. Additionally, my Alaska program is on there, but I was never alerted that anything was problematic nor about the redemptions. I just changed my passwords and login protocol and haven’t heard a peep from Award Wallet. Additionally my balance changed significantly there and again, nothing from them. So I am not sure I see the point if I am not alerted to major changes, including failed logins (due to password changes) with the service.
Hmm, somehow cannot reply to your reply.
That is actually very useful information, thanks. I always heard of AwardWallet as the next best thing (after sliced bread) but don’t want to pony up for the paid version. I guess it has its flaws, you cannot rely on it completely.
As for Alaska miles-while their miles don’t expire they do lock after no activity for 2 years, so theoretically if you aren’t using the account it is better to let it be locked, because that way no one can get into it (to reactivate you need to verify over the phone. Though not much information is requested).
Please be nice. Sometimes people like to have miles accrued on programs with good redemptions and AS has great redemptions.
I have miles with BAEC and KE but I haven’t had status with them in a long time as I used to be a BA Gold Guest List and Morning Calm Premium. But I haven’t flown with them but kept qualifying activities to keep the miles from expiring until I need to use them.
Are you sure that you didn’t have bad password practices on this account? It seems likely that you used the same password on this account as you used on other accounts, and that is how the thief was able to access your Alaska account without your knowledge. They probably changed the email and phone so that when Alaska sent confirmations for the purchases, they got the emails instead of you.
I’d say that Alaska was extremely generous to restore all your miles.
It seems to me that with the details of who was ticketed that Alaska security likely could find out something about the perpetrator. Even if the ticket was resold by a mileage broker, the passenger can probably identify from whom they got the ticket.
@Cheryl – I agree with most of what you’re saying, though I don’t have common passwords for most of my accounts. That wasn’t always the case though. Further, there have been so many data leaks over the years that I am pretty sure they just kept trying different avenues until something worked.
This EXACT thing happened to meet with Alaska and same redemption airline. Except I had just over 400k miles missing. Literally went through exact same steps. It’s annoying having pin now. Wondering if this was more error on Alaska’s part with security given similar instances……
@M – Also had this experience once with Hilton (though those were spent on Amazon) and also replaced instantly. That said, it must be pretty regular, the rep wasn’t alarmed.
Aren’t you usually sent an email when miles are used or flights booked? Either way, glad you got em back!
@Trevor – yes, but they had changed the email address first so that I wasn’t alerted. The concern for me is how did they do that without detection?
I don’t think the Alaska Mileage program partners with Star Alliance! I even tried using my Alaska Mealeage with American, an Alaska partner and I couldn’t do it. Trying to get rid of them!
They partner with Singapore which gives access to Star Alliance flights.
This is a really important call out and I’m glad you shared your experience. It’s not unreasonable or uncommon for most airline customers to not log in and frequently check their miles/points/etc.
More companies, like Alaska Airlines, should be moving towards automated identity proofing measures ahead of account change transactions like redemption of points which would have kept your account and miles protected, and ensured that only you could redeem them- even if someone took over your account.
Kyle, So can anyone setup a pin number now? Thank you!
@Sasha – That’s my understanding.
Thanks! WIll try to see if I can setup a pin for my account.
Thanks for sharing and I am glad everything worked out.
Kyle, Thanks for sharing. I should have read this post sooner.
I am user of award wallet and check my balance “more” regularly. Still get hack, nonetheless!
I found out 20 hrs too late!
Just if the call with Alaska rep on validation and recovery process similar to your post.
2nd level authentication and notice if redemption or changes must be implemented to minimize the risk.