How JetBlue Handled the Theft of 34,900 Points From My TrueBlue Account
"Someone's taking a dip in your points" was the simple subject line. Thankfully, I saw the email almost immediately after it arrived, despite Gmail having banished it to the Updates tab. This was my first alert that 34,900 points had just been stolen from my JetBlue TrueBlue account.
There wasn't much time to act. My points had been used to book a flight from Atlanta to New York LaGuardia the next morning. Although I have AwardWallet account balance change alerts set up, the once-a-week update wouldn't have alerted me in time in this case. From the email arriving at 11:52pm to the flight, there were just 10 hours.
How JetBlue Handled the Situation
Seemingly to help the account holder verify quickly if this was a legit redemption, JetBlue lists the name of the passenger in the alert email. It didn't take long for me to confirm that my JetBlue's Point Pooling members had not redeemed a last-minute flight.
That short JetBlue email listed a number to call if I was not "on board with this" redemption. So, after gathering all of the information that I could about the passenger from the booking, I called in.
The number listed was a generic number for JetBlue, so I needed to navigate the menu to get an agent. The front-line agent quickly realized that she would need to get a specialist for this situation. Since it was now past midnight Eastern Time, I was expecting this agent to return to tell me that I needed to call back during business hours. Instead, I was transferred to an obviously experienced agent, who cancelled the flight and refunded the points in a matter of minutes.
However, she didn't leave it there. After verifying my identity through my full name, date of birth, email address and other security questions, the JetBlue agent asked for another email address that she could link to my account. Just in case my original email address was also compromised, she wanted to send a password reset email to a new email address. Shortly later, I was back in my account — with a new, much stronger password — and my balance was back to what it was before the fraudulent booking.
Who Stole My Points?
It's unclear at this point, but it probably wasn't the passenger booked to fly on the JetBlue flight. There are numerous fly-by-night "travel agents" that are happy to sell unwitting passengers cheap flights with no questions asked. It's likely that one of these operations sold the person a cheap flight, used my JetBlue points to purchase it, and vanished with their money.
Curious to learn as much as I could, I called the phone number that was used as part of the reservation. The 347 area code cell phone number jived with the Brooklyn address listed in the booking. However, the person who picked up when I called insisted that I had the wrong number and hung up. To be clear that I got the message, the person called back and then yelled at me to never call again. (We have omitted their name due to the ongoing investigation.)
Consequences for the (Failed) Traveler
During my phone call with the TrueBlue specialist, I asked the agent how the hacker was able to access my account and what the consequences would be for the traveler. The JetBlue agent said that the corporate security team would look into the situation. However, she was clear that I wouldn't be provided any updates or further information unless JetBlue received a subpoena.
But I was still curious about how this happened. So I reached out to the JetBlue media relations team. In response to my question about the consequences for the passenger fraudulently booked on this flight, a JetBlue spokesperson didn't add much to what I knew already: "We investigate any claim we receive to determine if we should cancel potentially fraudulent bookings and work with law enforcement to prosecute criminal activity."
The spokesperson also confirmed my hunch that the email I received was "triggered automatically when a redemption booking is made."
How My Points Were Stolen
JetBlue uses single-factor authentication to access TrueBlue accounts. With an email address and the correct password, anyone is able to log into an account and have full access to the details. Unwisely, I was using an email/password combination that I've used on other websites and seems to have been compromised.
I asked JetBlue whether the airline is considering adding two-factor authentication to prevent situations like this. The JetBlue spokesperson responded that the airline is "always looking at improving account security and will continue to consider enhancements to our login platform." For now, we will have to rely on a strong password to keep our accounts safe.
How to Avoid This Happening to You
I recommend doing an audit of all of your airline and hotel loyalty programs. While it's super convenient to use the same password for each program, numerous data breaches have likely exposed your go-to email/password and username/password combination.
We recommend setting up strong randomized passwords that are different for each one of your loyalty accounts. Password managers like LastPass and 1Password make setting and managing these passwords a breeze.
Yes, it takes time. As you read this, you're probably weighing that time cost versus the risk that your account will be hacked. And I speak from personal experience here; I knew better than to use the same password combination, but didn't put in the time to fix it. Thankfully, the lesson was rather painless for me, as I was able to quickly get my points back. But, it's not always this easy to restore your account, and that's especially the case if the flight has already been taken or other redemption used.