I fell into investigation of Alaska Airlines by complete happenstance when I saw a fleeting glimpse of dubious tradecraft.

I laid my investigation down this week, staggered at what I had unearthed.

I detail the accounting anomalies I found in their SEC filings elsewhere. They do not turn heads despite their gravity alas.

Fear not, below lies a tale of a corporation who chose out of commercial expediency, to damage and impugn their best customers, rather than reveal a cyber attack that continues to this day, and has been running for 4 years.

If I manage to pull myself away from this one - the next will be on the side of the angels without me trading upon it.

Rather puts a carrot in one’s wotsit.

Four Years of Blame

For four years, Alaska Airlines has blamed its own customers for a security failure the airline refuses to fix.

April 2022

A FlyerTalk user reported their account had been drained of 140,000 miles to book premium Qatar Airways flights for total strangers. The hackers had switched their notification emails during the heist.

Another victim on the thread explained Alaska’s response:

“They reset my account, put the miles back in, then said I needed to add a pincode next time or they would not refund the issue in the future.”

January 2026

Nothing has changed. Four years later, members’ accounts are being hacked in exactly the same way. A recent example:

“Happened to me. Several individuals from the Middle East flew into Texas on 500,000 of my points. They were able to use my Alaska credit card attached to my account to pay for in-flight food and WiFi—plus seat upgrades.

Alaska only refunded my miles under the condition that my account is now locked down by them and I have to call customer service to get it unlocked with a code every single time I want to book.

They refused to refund the several thousand dollars that was charged to my card (which itself was NOT compromised—they only could charge to it through the app) and told me to dispute the charges with the credit card company.”

The attack characteristics remain unchanged:

• Last-minute international premium cabin bookings

• Notification suppression through email address changes

• Stored payment methods exploited

The airline’s response remains unchanged:

• Miles restored as “one-time courtesy”

• Permanent account restrictions imposed

• Credit card charges declared the customer’s problem

Four years. Not a single element of these thefts has been closed off. I should know, I found 370 of them in 2025.

This is not a security team working through a backlog. This reveals something catastrophic about the technical infrastructure itself.

The Crime of the Compromised Password

For four years, Alaska has blamed its victims:

• “My points were all stolen too. They acted as if I’d done something to cause it. They kept telling me to keep my password secure.” (link)

• “They made it a pain to get them back and blamed me for it.” (link)

• “This is my fault and not theirs.” (link)

• “If we find out this was you, we will pursue prosecution.” (link)

Let us suppose for a moment that compromised passwords are to blame.

Alaska Airlines carries $3.6 billion worth of loyalty points on its balance sheet. Simple ancient passwords making up the entire security firewall is utterly indefensible.

Court cases involving Dunkin’ Donuts and 23andMe have established that weak password policies are the custodian’s responsibility, not the customer’s.

If accounts are being compromised through feeble passwords, that is entirely Alaska’s fault for allowing such passwords to remain.

The Unchanged Reprisals

Alaska’s remediation procedure has not changed in four years either.

This routine has the remarkable effect of silencing victims. If you are told with absolute certainty that you were responsible for the theft, you have no basis to dispute it.

The depredations inflicted:

• Phone hold times of 6.5 hours, 7 hours and 8.5 hours reported in the last week alone

• The lifetime PIN lock, a direct imputation that victims cannot be trusted with passwords ever again

• Forcing victims to dispute charges with their credit card company, which will take it up with Alaska anyway

• Whatever loyalty points victims retain are worth far less, having lost the ability to book online

Of course, the victim’s loss in value, is directly Alaska’s gain.

The Broken Machine

All airlines have to build their systems upon a common 50 year old system, and Alaska’s development is leagues behind the other US airlines. The method of theft reveals all.

The Email Switch

Muzzling notifications to the member requires switching the notification email address. At Alaska the legacy database updates records without triggering notifications to the original email. Fixing it demands overhauling complex middleware, not a quick logic change.

No Red Flags

The other part is perhaps worse. The system cannot flag “New Beneficiary + High Value + Last Minute + Different Continent” as suspicious. Because again that is happening on a layer where Alaska is architecturally blind.

No Passwords Necessary

Then comes the rub - almost certainly hackers are not entering with passwords. They are stealing session tokens (digital wristbands proving a user is already logged in) and exploiting a caching error where the server confuses one user with another.

When a stolen token is presented, the legacy system cannot verify it is bound to a specific device or location.

The hacker enters through a side door, bypassing the login screen entirely.

Bringing this infrastructure to modern security standards is not a matter of updates. It requires a complete middleware rewrite and identity management overhaul: a multi-year project apparently.

Deception As Policy

Now we understand why the PIN lock exists. Alaska has no idea how these accounts are being compromised. If it is by session hijack, the account is as vulnerable as ever.

To make them endure this penalty, Alaska invoked their gratitude with a benevolent refund and stern admonishments on password hygiene. A cunning, but reprehensible subterfuge.

Four years ago all the airlines were getting raided by hackers, but they all fixed it. Alaska chose to expand their empire instead. Yet the hacks have accelerated, and it’s too late to come clean.

Those 370 victims I found in 2025 are the tip of an iceberg. Only Alaska knows how many thefts there have been?

Absolutely not. They have no idea

Most victims discover their loss and only when they complain to Alaska find out. Alaska is clueless as to how many thefts have taken place and not yet been discovered.

The jewel in every airline’s crown is its mileage programme. Wildly profitable, stunningly predictable, and requiring minimal management attention. Their stability means $2BN of debt at Alaska is taken directly against it.

Yet Alaska must have no idea what the liability balance is, as they don’t know how many accounts have been raided.

The Butcher’s Bill

This is the end of my investigation into Alaska Airlines, and through what I have seen, there is no doubt in my mind.

• The company has infrastructure that is incapable of stopping the same cyber-hack that it’s had for the last four years, and there is no prospect of that changing.

• We have a mileage programme which has no knowledge of its liabilities and no knowledge of the fraudulent expense it is incurring.

• The accounting anomalies discussed elsewhere have no US GAAP compliant explanation.

• We have an alphabet soup of government agencies who will be investigating and examining what happened.

Perhaps worst of all, Alaska’;s most loyal, and lucrative customers, will find out they were systematically deceived, purely for commercial expediency.

Even then we may only be seeing the tip of an iceberg.

Short $ALK.

Full investigation: https://www.noseyparker.org/p/alk-accounted