How JetBlue Handled the Theft of 34,900 Points From My TrueBlue Account
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.
“Someone’s taking a dip in your points” was the simple subject line. Thankfully, I saw the email almost immediately after it arrived, despite Gmail having banished it to the Updates tab. This was my first alert that 34,900 points had just been stolen from my JetBlue TrueBlue account.
There wasn’t much time to act. My points had been used to book a flight from Atlanta to New York LaGuardia the next morning. Although I have AwardWallet account balance change alerts set up, the once-a-week update wouldn’t have alerted me in time in this case. From the email arriving at 11:52pm to the flight, there were just 10 hours.
How JetBlue Handled the Situation
Seemingly to help the account holder verify quickly if this was a legit redemption, JetBlue lists the name of the passenger in the alert email. It didn’t take long for me to confirm that my JetBlue’s Point Pooling members had not redeemed a last-minute flight.
That short JetBlue email listed a number to call if I was not “on board with this” redemption. So, after gathering all of the information that I could about the passenger from the booking, I called in.
The number listed was a generic number for JetBlue, so I needed to navigate the menu to get an agent. The front-line agent quickly realized that she would need to get a specialist for this situation. Since it was now past midnight Eastern Time, I was expecting this agent to return to tell me that I needed to call back during business hours. Instead, I was transferred to an obviously experienced agent, who cancelled the flight and refunded the points in a matter of minutes.
However, she didn’t leave it there. After verifying my identity through my full name, date of birth, email address and other security questions, the JetBlue agent asked for another email address that she could link to my account. Just in case my original email address was also compromised, she wanted to send a password reset email to a new email address. Shortly later, I was back in my account — with a new, much stronger password — and my balance was back to what it was before the fraudulent booking.
Who Stole My Points?
It’s unclear at this point, but it probably wasn’t the passenger booked to fly on the JetBlue flight. There are numerous fly-by-night “travel agents” that are happy to sell unwitting passengers cheap flights with no questions asked. It’s likely that one of these operations sold the person a cheap flight, used my JetBlue points to purchase it, and vanished with their money.
Curious to learn as much as I could, I called the phone number that was used as part of the reservation. The 347 area code cell phone number jived with the Brooklyn address listed in the booking. However, the person who picked up when I called insisted that I had the wrong number and hung up. To be clear that I got the message, the person called back and then yelled at me to never call again. (We have omitted their name due to the ongoing investigation.)
Consequences for the (Failed) Traveler
During my phone call with the TrueBlue specialist, I asked the agent how the hacker was able to access my account and what the consequences would be for the traveler. The JetBlue agent said that the corporate security team would look into the situation. However, she was clear that I wouldn’t be provided any updates or further information unless JetBlue received a subpoena.
But I was still curious about how this happened. So I reached out to the JetBlue media relations team. In response to my question about the consequences for the passenger fraudulently booked on this flight, a JetBlue spokesperson didn’t add much to what I knew already: “We investigate any claim we receive to determine if we should cancel potentially fraudulent bookings and work with law enforcement to prosecute criminal activity.”
The spokesperson also confirmed my hunch that the email I received was “triggered automatically when a redemption booking is made.”
How My Points Were Stolen
JetBlue uses single-factor authentication to access TrueBlue accounts. With an email address and the correct password, anyone is able to log into an account and have full access to the details. Unwisely, I was using an email/password combination that I’ve used on other websites and seems to have been compromised.
I asked JetBlue whether the airline is considering adding two-factor authentication to prevent situations like this. The JetBlue spokesperson responded that the airline is “always looking at improving account security and will continue to consider enhancements to our login platform.” For now, we will have to rely on a strong password to keep our accounts safe.
How to Avoid This Happening to You
I recommend doing an audit of all of your airline and hotel loyalty programs. While it’s super convenient to use the same password for each program, numerous data breaches have likely exposed your go-to email/password and username/password combination.
We recommend setting up strong randomized passwords that are different for each one of your loyalty accounts. Password managers like LastPass and 1Password make setting and managing these passwords a breeze.
Yes, it takes time. As you read this, you’re probably weighing that time cost versus the risk that your account will be hacked. And I speak from personal experience here; I knew better than to use the same password combination, but didn’t put in the time to fix it. Thankfully, the lesson was rather painless for me, as I was able to quickly get my points back. But, it’s not always this easy to restore your account, and that’s especially the case if the flight has already been taken or other redemption used.
Featured image by Shutterstock
Welcome to The Points Guy!
Earn 90,000 bonus miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new card in the first three months of card membership. Offer ends 11/10/2021.
With Status Boost™, earn 10,000 Medallion Qualification Miles (MQMs) after you spend $25,000 in purchases on your Card in a calendar year, up to two times per year getting you closer to Medallion Status. Earn 3X Miles on Delta purchases and purchases made directly with hotels, 2X Miles at restaurants and at U.S. supermarkets and earn 1X Mile on all other eligible purchases. Terms Apply.
- Limited Time Offer: Earn 90,000 Bonus Miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new Card in your first 3 months. Offer expires 11/10/2021.
- Earn up to 20,000 Medallion® Qualification Miles (MQMs) with Status Boost® per year. After you spend $25,000 in purchases on your Card in a calendar year, you can earn 10,000 MQMs two times per year, getting you closer to Medallion® Status. MQMs are used to determine Medallion® Status and are different than miles you earn toward flights.
- Earn 3X Miles on Delta purchases and purchases made directly with hotels.
- Earn 2X Miles at restaurants worldwide, including takeout and delivery and at U.S. supermarkets.
- Earn 1X Miles on all other eligible purchases.
- Receive a Domestic Main Cabin round-trip companion certificate each year upon renewal of your Card. *Payment of the government imposed taxes and fees of no more than $75 for roundtrip domestic flights (for itineraries with up to four flight segments) is required. Baggage charges and other restrictions apply. See terms and conditions for details.
- Enjoy your first checked bag free on Delta flights.
- Fee Credit for Global Entry or TSA Pre✓®.
- Enjoy an exclusive rate of $39 per person per visit to enter the Delta Sky Club® for you and up to two guests when traveling on a Delta flight.
- No Foreign Transaction Fees.
- $250 Annual Fee.
- Terms Apply.
- See Rates & Fees