Data hacks have become pretty common these days, so it’s not surprising when accounts get hacked. What is surprising is that companies know their customers are targets and are doing very little to prevent it. On Wednesday, my JetBlue account was hacked. Someone logged in, changed my email address to theirs, added themselves to my pool and used 69,400 points to book two flights. What has JetBlue done about this so far? Nothing, except lie and deny responsibility.
What happened
So yesterday I got a notice from Google that someone was trying to access my Gmail account. I also received a code via text message. Shortly after, a random number (331-308-0997 – have fun, bots) sent me a text claiming that he accidentally provided my number to Google and could I please send him the verification code I received? Needless to say I ignored it.
About 30 minutes later I got an email alert that my JetBlue account email address had been successfully changed. Seconds later, I received two back-to-back emails confirming two individuals who had been added to my pool.
I tried to login to my account using my TrueBlue number but that’s not actually possible. You have to login with an email address. But my email address was changed and so was my password. I was locked out.
The call to JetBlue
I called JetBlue to get my account back and spent almost an hour on hold. I feel like with how common data hacks are becoming, airlines and credit card companies should have a dedicated line for these things. They don’t.
I waited until I finally got through to a rep. It took excruciatingly long but eventually, they were able to verify my account and change my email address. I then logged in noticed over 69,400 points were missing.
The rep put me on hold for a while longer and confirmed the flight had been canceled, the people had been removed from my pool, and everything was in order. I expressed my frustration that someone could just hack into my account, change my email address (i.e. login) without hindrance and lock me out.
She claimed that it wasn’t my JetBlue account that was hacked: My account was compromised because the hackers were able to access my Gmail account to obtain the verification code sent by JetBlue.
I looked through my emails and there was no such email from JetBlue. Just the one verifying that my email address/login credentials were changed. I figured maybe the hackers had deleted it.
Aftermath
Thanks to excruciatingly long hold times, dropped calls and hostile customer service reps (one didn’t want to help me because my account number had “too many letters”), it took around three hours on the phone over two days to get everything straightened out.
I’m told the issue with the missing points is still pending. At least the flights booked with those points have been canceled.
What was frustrating about this experience wasn’t just getting JetBlue to make things right, but the fact that they lied about the authorization code. I logged into my account yesterday to check the status of the missing points. I decided to also see if I could change my email address easily.
Not only was I able to change my email address, but also my password. The only “verification” I got from JetBlue was the same one I got the day before when my account was hacked: A confirmation that my email address was updated.
I’m disappointed that companies like JetBlue aren’t doing enough to protect customer data. There really is no excuse in 2019, with even the big banks getting hacked, not to have some kind of secondary authentication in place so personal information isn’t compromised.
The only other hack I experienced was six years ago when my Club Carlson account was hacked and my balance drained via gift card redemptions. Back then, a quick phone call got my balance restored. If only it were that easy now.
Has something like this happened to you? How long did it take to get your points back?
[jetpack_subscription_form title=”Subscribe via email for more points, miles and free travel”]
wow I would be calling them back and explaining that I simulated changing the email address and never got a verification and then I would politely request miles in compensation for the giant inconvenience. I would ask to speak to that person‘s manager and then the manager’s manager and so on until I get what I want. If I don’t then I would be leaving comments about it on Twitter. Last resort: Google the name of the CEO’s administrative assistant because part of his/her job is to stop people from reaching the CEO and he/she has a ton of power in order to do so. My account wasn’t hacked but my strategy worked with Citi. Phone calls and working my way up the chain didn’t work but tweeting out what had happened sure did. Days later I got an unexpected phone call and 11,000 thank you points for the inconvenience. The only time my strategy didn’t work was with AT&T mobility (alarm monitoring service) so I disputed the charge with my Citi Card and because they are hands-down the best when it comes to disputes I got my money back. They of course sent me to collections but then I filed a complaint with the CFPB (consumer finance protection bureau) and the Better Business Bureau and wouldn’t you know my balance in collections was dropped (and credit score subsequently repaired).
Had the same thing happen with my JetBlue account although I got the points back in a single phone call.
I was told the booking that was made was already flagged as fraudulent and the points were back in my account st the end of the phone call.
In my case I think the booking didn’t get flagged because the hackers added themselves to my point sharing pool.
My situation did involve the thieves adding themselves to my point sharing pool.
Yeah I did that but they got super defensive about it. I had two cs reps on the phone blow up at me and refuse to help. Their Twitter team hasn’t done anything. They did tell me the status was pending, so I’ll wait it out a couple of days before I unleash hell. Lol!
Was the JetBlue email you think they deleted still in your Deleted Mail folder? Sorry this happened! I agree your email should not have been so easy to change…got me thinking about all of my accounts.
I didn’t see any emails in my deleted folder. But when I tried changing my email address the way the hackers had, JetBlue didn’t send me a verification code like they claimed. Just a confirmation that my email address/login had been changed. You really gotta monitor your accounts closely because hacks are becoming more commonplace. A co-worker of mine just got her bank account hacked and the thief stole all her savings. She had to file a police report and the bank is dragging its feet when it comes to repaying her.
Have you sent an email to Corporate and the CEO’s office?