About five years ago, my JetBlue account got hacked. Someone logged into my account, changed my email address to theirs, added themselves to my pool and used 69,400 points to book two flights.
What did JetBlue do about it? Deny responsibility and then take a week to restore my account balance.
Data hacks have become pretty common these days, so it’s not surprising when accounts get hacked. What is surprising is that companies are doing very little to prevent it.
Here’s a look at how my JetBlue account got hacked and some tips on how you can prevent it from happening to you.
How I found out my JetBlue account was hacked
It all started when I received a notice from Google that someone was trying to access my Gmail account. Google also sent me a confirmation code via text.
Shortly after, a random number (331-308-0997—have fun, bots) texted me, claiming that he accidentally provided my number to Google. He asked me to please send him the verification code I received. Needless to say, I ignored it.
I was at work and couldn’t really deal with it, but figured that was the end of it. Spoiler alert: It wasn’t.
About 30 minutes later, I received an email from JetBlue, stating my email address had been successfully changed. Seconds later, I received two back-to-back emails confirming that two individuals had been added to my points pool.
I didn’t know these people and I definitely hadn’t updated my email. This is when I knew my JetBlue account got hacked.
I tried to log in to my JetBlue account using my TrueBlue number, but that’s not actually possible. You have to log in with an email address.
The problem? Since my email address and password were both changed, I was locked out.
The call to JetBlue
I called JetBlue to get my account back and spent almost an hour on hold. Given how common data hacks are, airlines and credit card companies should have a dedicated line for these things. They don’t.
I waited until I finally got through to a representative. It took excruciatingly long but eventually, they were able to verify my account and change my email address.
I logged into my account and immediately realized over 69,400 TrueBlue points were missing.
The hackers had used these points to book flights – their names were spelled out on the booking management page.
The JetBlue representative put me on hold for a while longer and confirmed the booking was canceled, the people had been removed from my pool, and everything was in order.
I expressed my frustration that someone could hack into my JetBlue account this easily, change my email address (i.e. login) without hindrance and lock me out.
She claimed that my JetBlue account wasn’t hacked. Instead, my account was compromised because the hackers were able to access my Gmail account and obtain the verification code sent by JetBlue.
I looked through my emails and there was no such email from JetBlue. Just the one verifying that my email address/login credentials were changed. I figured maybe the hackers had deleted it (I later found out, they didn’t).
Regardless, JetBlue’s response was pure semantics. They could have deterred the hackers by requiring multi-factor authentication (MFA). At the very least, the fact that someone logged in from an IP address out of state should have triggered some kind of security notification.
How I got my points back
Thanks to excruciatingly long hold times, dropped calls, and hostile customer service representatives, it took around three hours to get my account back.
It took another week for JetBlue to fully restore my missing point balance. There were no apologies, no amends, or even acknowledgment of the hack.
The frustrating part of this experience wasn’t just that my JetBlue account got hacked. It was the amount of time and effort it took to get JetBlue to resolve the issue. I found it especially egregious that the phone representative lied to me about the authorization code.
I even logged into my account the next day to test whether JetBlue actually sends out an authorization code, as claimed. My experiment confirmed my suspicions: I was able to change my email address and password easily, without requiring an authorization code.
The only notification I received from JetBlue was the same one I got the day, before when my account was hacked: a confirmation that my email address was updated.
Since this post was published, JetBlue has enacted further security measures and 2FA. Now, when account changes are made, you will receive an authentication code via email.
How to protect your JetBlue account from getting hacked
Over the past few years, JetBlue account hacks have become common. Google the topic and you’ll find numerous bloggers (and discussion forum posts) detailing similar experiences to mine.
As a result, JetBlue has implemented better security measures to deter hackers. For example, when you log in to your TrueBlue account now, JetBlue sends a verification code to your email.
Is this helpful? Not particularly, because that same system allowed hackers to get into my account in the first place.
But you can make this system work for you. To avoid your JetBlue account getting hacked, take the following steps:
Create a strong password or use a password management system
The first step in protecting your account is to use a strong password. Furthermore, use a password management tool like 1Password or Google Password Manager for Chrome.
This way, hackers can’t easily guess your password, protecting you from account hacks.
Ideally, you should update both your JetBlue and email password.
Set up two-factor authentication (2FA)
JetBlue has two-factor authentication, connected to your email by default. For greater security, you should update your 2FA settings to text messages.
Hackers are less likely to get access to your phone and intercept any verification codes sent by JetBlue. It’s much safer than email verification (as demonstrated by my experience).
To update your security preferences, log into your JetBlue TrueBlue account and follow these steps:
- Click on your profile and select “Profile and Settings.”
- Navigate to the “Sign in & Security” tab.
- Under “Text message”, select the “add” button.
- Enter the security passcode sent to your email, then enter your JetBlue password again when prompted.
- Enter your cell phone number.
- Check your phone for a verification code and enter it on the screen.
- You’ll be redirected to the Sign in & Security page again. Confirm that your phone number has been added as a 2FA method.
What to do if your JetBlue account gets hacked
If your JetBlue account is hacked, you should work quickly to get your account back. Here are the steps to follow:
- Change your passwords immediately: It’s important to quickly change your password to prevent access from potential hackers. If your Jetblue account got hacked, you’ll also want to change your email address, especially if hackers were able to access security codes that way.
- Call JetBlue: Call JetBlue immediately to inform them of the data breach. They can ensure that any travel bookings are immediately canceled and your points restored.
- Remove all saved credit cards: If any credit cards are saved to your profile, you’ll want to delete those, too. That way, if your Jetblue account gets hacked again, the thieves can’t steal your points and use your card to pay for travel
Bottom line
It’s unfortunate that companies like JetBlue aren’t doing enough to protect customer data. Nowadays, with even the big banks getting hacked, there is no excuse not to have better security.
The only other hack I experienced was six years ago, when my Club Carlson account was hacked, and my balance was drained via gift card redemptions. Back then, a quick phone call restored my balance. If only it were that easy now.
Was your Jetblue account hacked? How long did it take to get your points back?
This story was published on August 9, 2019. It’s been updated with additional information.
wow I would be calling them back and explaining that I simulated changing the email address and never got a verification and then I would politely request miles in compensation for the giant inconvenience. I would ask to speak to that person‘s manager and then the manager’s manager and so on until I get what I want. If I don’t then I would be leaving comments about it on Twitter. Last resort: Google the name of the CEO’s administrative assistant because part of his/her job is to stop people from reaching the CEO and he/she has a ton of power in order to do so. My account wasn’t hacked but my strategy worked with Citi. Phone calls and working my way up the chain didn’t work but tweeting out what had happened sure did. Days later I got an unexpected phone call and 11,000 thank you points for the inconvenience. The only time my strategy didn’t work was with AT&T mobility (alarm monitoring service) so I disputed the charge with my Citi Card and because they are hands-down the best when it comes to disputes I got my money back. They of course sent me to collections but then I filed a complaint with the CFPB (consumer finance protection bureau) and the Better Business Bureau and wouldn’t you know my balance in collections was dropped (and credit score subsequently repaired).
Had the same thing happen with my JetBlue account although I got the points back in a single phone call.
I was told the booking that was made was already flagged as fraudulent and the points were back in my account st the end of the phone call.
In my case I think the booking didn’t get flagged because the hackers added themselves to my point sharing pool.
My situation did involve the thieves adding themselves to my point sharing pool.
Yeah I did that but they got super defensive about it. I had two cs reps on the phone blow up at me and refuse to help. Their Twitter team hasn’t done anything. They did tell me the status was pending, so I’ll wait it out a couple of days before I unleash hell. Lol!
Was the JetBlue email you think they deleted still in your Deleted Mail folder? Sorry this happened! I agree your email should not have been so easy to change…got me thinking about all of my accounts.
I didn’t see any emails in my deleted folder. But when I tried changing my email address the way the hackers had, JetBlue didn’t send me a verification code like they claimed. Just a confirmation that my email address/login had been changed. You really gotta monitor your accounts closely because hacks are becoming more commonplace. A co-worker of mine just got her bank account hacked and the thief stole all her savings. She had to file a police report and the bank is dragging its feet when it comes to repaying her.
Have you sent an email to Corporate and the CEO’s office?