I have spent several months, like a moth to a flame, compiling publicly reported loyalty mile thefts from Alaska Airlines, as well as other discrepancies I found.
The data suggests Alaska Airlines has a systemic security issue that has been unpatched for 4 years, but members are being blamed to this day for their implied password hygiene.
Key finding: Alaska's theft rate is 23x higher than peer airlines. The technical patterns (PIN bypass, same-day repeat compromise after password change, password manager users affected, surge after reported hack in June 2025) are inconsistent with credential stuffing.
This connects to a session management bug reported here in December 2024 [1] that exposed random passenger data. That bug appears unfixed despite being reported through official channels.
What I'm trying to understand:
How could this not have been fixed in all this time?
How are these accounts likely being accessed and drained?
Disclosure: not a trader at all, but my research led me to short the stock, so bare this in mind when reviewing my work.
Airlines aren’t exactly where the best software engineer talent goes. They have low margins and cannot compete with high paying companies probably. And Alaska was an airline under pressure on top of all that.
They’re now trying to revamp themselves with the Hawaiian airlines merger and new long distance 787 flights. But between this loyalty theft issue and other software glitches that affected flights (cancellations/ delays) in 2025, I get the impression that their IT team is in a state of neglect and barely holding things together.
But they all have to deal with it and doesn't absolve a company not fixing it.
It's definitely not the IT team's fault. The solution is a titanic project. Management just have no interest when they can sign up to buy 100 jumbo jets that day instead.
I have spent several months, like a moth to a flame, compiling publicly reported loyalty mile thefts from Alaska Airlines, as well as other discrepancies I found.
The data suggests Alaska Airlines has a systemic security issue that has been unpatched for 4 years, but members are being blamed to this day for their implied password hygiene.
Key finding: Alaska's theft rate is 23x higher than peer airlines. The technical patterns (PIN bypass, same-day repeat compromise after password change, password manager users affected, surge after reported hack in June 2025) are inconsistent with credential stuffing.
This connects to a session management bug reported here in December 2024 [1] that exposed random passenger data. That bug appears unfixed despite being reported through official channels.
What I'm trying to understand:
How could this not have been fixed in all this time? How are these accounts likely being accessed and drained?
Disclosure: not a trader at all, but my research led me to short the stock, so bare this in mind when reviewing my work.
[1] https://news.ycombinator.com/item?id=42347432
Airlines aren’t exactly where the best software engineer talent goes. They have low margins and cannot compete with high paying companies probably. And Alaska was an airline under pressure on top of all that.
They’re now trying to revamp themselves with the Hawaiian airlines merger and new long distance 787 flights. But between this loyalty theft issue and other software glitches that affected flights (cancellations/ delays) in 2025, I get the impression that their IT team is in a state of neglect and barely holding things together.
Nobody has tech debt like airlines.
But they all have to deal with it and doesn't absolve a company not fixing it.
It's definitely not the IT team's fault. The solution is a titanic project. Management just have no interest when they can sign up to buy 100 jumbo jets that day instead.