How JetBlue Handled the Theft of 34,900 Points From My TrueBlue Account

Jul 24, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

“Someone’s taking a dip in your points” was the simple subject line. Thankfully, I saw the email almost immediately after it arrived, despite Gmail having banished it to the Updates tab. This was my first alert that 34,900 points had just been stolen from my JetBlue TrueBlue account.

There wasn’t much time to act. My points had been used to book a flight from Atlanta to New York LaGuardia the next morning. Although I have AwardWallet account balance change alerts set up, the once-a-week update wouldn’t have alerted me in time in this case. From the email arriving at 11:52pm to the flight, there were just 10 hours.

How JetBlue Handled the Situation

Seemingly to help the account holder verify quickly if this was a legit redemption, JetBlue lists the name of the passenger in the alert email. It didn’t take long for me to confirm that my JetBlue’s Point Pooling members had not redeemed a last-minute flight.

That short JetBlue email listed a number to call if I was not “on board with this” redemption. So, after gathering all of the information that I could about the passenger from the booking, I called in.

The number listed was a generic number for JetBlue, so I needed to navigate the menu to get an agent. The front-line agent quickly realized that she would need to get a specialist for this situation. Since it was now past midnight Eastern Time, I was expecting this agent to return to tell me that I needed to call back during business hours. Instead, I was transferred to an obviously experienced agent, who cancelled the flight and refunded the points in a matter of minutes.

However, she didn’t leave it there. After verifying my identity through my full name, date of birth, email address and other security questions, the JetBlue agent asked for another email address that she could link to my account. Just in case my original email address was also compromised, she wanted to send a password reset email to a new email address. Shortly later, I was back in my account — with a new, much stronger password — and my balance was back to what it was before the fraudulent booking.

Who Stole My Points?

It’s unclear at this point, but it probably wasn’t the passenger booked to fly on the JetBlue flight. There are numerous fly-by-night “travel agents” that are happy to sell unwitting passengers cheap flights with no questions asked. It’s likely that one of these operations sold the person a cheap flight, used my JetBlue points to purchase it, and vanished with their money.

Curious to learn as much as I could, I called the phone number that was used as part of the reservation. The 347 area code cell phone number jived with the Brooklyn address listed in the booking. However, the person who picked up when I called insisted that I had the wrong number and hung up. To be clear that I got the message, the person called back and then yelled at me to never call again. (We have omitted their name due to the ongoing investigation.)

Consequences for the (Failed) Traveler

During my phone call with the TrueBlue specialist, I asked the agent how the hacker was able to access my account and what the consequences would be for the traveler. The JetBlue agent said that the corporate security team would look into the situation. However, she was clear that I wouldn’t be provided any updates or further information unless JetBlue received a subpoena.

But I was still curious about how this happened. So I reached out to the JetBlue media relations team. In response to my question about the consequences for the passenger fraudulently booked on this flight, a JetBlue spokesperson didn’t add much to what I knew already: “We investigate any claim we receive to determine if we should cancel potentially fraudulent bookings and work with law enforcement to prosecute criminal activity.”

The spokesperson also confirmed my hunch that the email I received was “triggered automatically when a redemption booking is made.”

How My Points Were Stolen

JetBlue uses single-factor authentication to access TrueBlue accounts. With an email address and the correct password, anyone is able to log into an account and have full access to the details. Unwisely, I was using an email/password combination that I’ve used on other websites and seems to have been compromised.

I asked JetBlue whether the airline is considering adding two-factor authentication to prevent situations like this. The JetBlue spokesperson responded that the airline is “always looking at improving account security and will continue to consider enhancements to our login platform.” For now, we will have to rely on a strong password to keep our accounts safe.

How to Avoid This Happening to You

I recommend doing an audit of all of your airline and hotel loyalty programs. While it’s super convenient to use the same password for each program, numerous data breaches have likely exposed your go-to email/password and username/password combination.

We recommend setting up strong randomized passwords that are different for each one of your loyalty accounts. Password managers like LastPass and 1Password make setting and managing these passwords a breeze.

Yes, it takes time. As you read this, you’re probably weighing that time cost versus the risk that your account will be hacked. And I speak from personal experience here; I knew better than to use the same password combination, but didn’t put in the time to fix it. Thankfully, the lesson was rather painless for me, as I was able to quickly get my points back. But, it’s not always this easy to restore your account, and that’s especially the case if the flight has already been taken or other redemption used.

Featured image by Shutterstock

Chase Sapphire Preferred® Card

WELCOME OFFER: 60,000 Points

TPG'S BONUS VALUATION*: $1,200

CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Earn 60,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $750 toward travel when you redeem through Chase Ultimate Rewards®
  • 2X points on travel and dining at restaurants worldwide & 1 point per dollar spent on all other purchases.
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards. For example, 60,000 points are worth $750 toward travel
  • Get unlimited deliveries with a $0 delivery fee and reduced service fees on orders over $12 for a minimum of one year on qualifying food purchases with DashPass, DoorDash's subscription service. Activate by 12/31/21.
  • Earn 5X points on Lyft rides through March 2022. That’s 3X points in addition to the 2X points you already earn on travel.
Intro APR on Purchases
N/A
Regular APR
15.99%-22.99% Variable
Annual Fee
$95
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit
Excellent/Good

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.