I have spent several months, like a moth to a flame, compiling publicly reported loyalty mile thefts from Alaska Airlines, as well as other discrepancies I found.
The data suggests Alaska Airlines has a systemic security issue that has been unpatched for 4 years, but members are being blamed to this day for their implied password hygiene.
Key finding: Alaska's theft rate is 23x higher than peer airlines. The technical patterns (PIN bypass, same-day repeat compromise after password change, password manager users affected, surge after reported hack in June 2025) are inconsistent with credential stuffing.
This connects to a session management bug reported here in December 2024 [1] that exposed random passenger data. That bug appears unfixed despite being reported through official channels.
What I'm trying to understand:
How could this not have been fixed in all this time?
How are these accounts likely being accessed and drained?
Disclosure: not a trader at all, but my research led me to short the stock, so bare this in mind when reviewing my work.
NoseyParker•1h ago
The data suggests Alaska Airlines has a systemic security issue that has been unpatched for 4 years, but members are being blamed to this day for their implied password hygiene.
Key finding: Alaska's theft rate is 23x higher than peer airlines. The technical patterns (PIN bypass, same-day repeat compromise after password change, password manager users affected, surge after reported hack in June 2025) are inconsistent with credential stuffing.
This connects to a session management bug reported here in December 2024 [1] that exposed random passenger data. That bug appears unfixed despite being reported through official channels.
What I'm trying to understand:
How could this not have been fixed in all this time? How are these accounts likely being accessed and drained?
Disclosure: not a trader at all, but my research led me to short the stock, so bare this in mind when reviewing my work.
[1] https://news.ycombinator.com/item?id=42347432