ALASKA AIR GROUP
THE GAME’S UP: EXPOSING AN ASTONISHING 4-YEAR COVER-UP
A Simplified Summary
17 March 2026 | noseyparker.org
DISCLAIMER: The author holds a short position in Alaska Air Group (ALK) and stands to profit from a decline in the share price. This document should be read in conjunction with the main report dated 17 March 2026. It represents analysis of publicly available information and constitutes opinion, not investment advice.
Alaska Air Group has known since at least 2022 that its loyalty platform has a cyber vulnerability.
As a result, thousands of their most loyal and lucrative customers have had their accounts drained by hackers. Alaska’s consistent policy response is to impugn the victim’s password hygiene, restore the stolen points as a “one time courtesy,” and henceforth permanently sanction the victim’s account.
Today the exact unremediated vulnerability is unveiled, along with the organised crime money trail that surrounds it.
More pertinently for investors, the loyalty programme, valued by management in December 2024 at $12 billion, has lost its financial controls as a result of this flaw.
The main report released simultaneously today should be consulted for evidentiary precision and sourced evidence.
What follows is a precis of that weighty investigation.
Act 1: The LinkedIn Spark
In August, the author saw a LinkedIn post about an Alaska Airlines member having their account drained of loyalty points and subsequently replenished. Others responded to announce the same experience.
3 non sequiturs in this posting bothered the author.
- Why can Alaska not block these clearly fraudulent bookings and stop the thefts?
- What purpose could the mandatory telephone PIN booking system, forced upon the victim, serve?
- Why would Mr Xie, named as the fraudulent traveller, take the staggering risk of passing through the most secure environments conceivable, under his real identity, for a few transient hours of comfort?
The questions were perplexing enough to launch an investigation.
Act 2: 425 Thefts Gathered
The investigation found 425 victims. Each sourced and archived.
The cases were found predominantly in niche special interest forums:
| Platform | Members | Count | % of Total |
|---|---|---|---|
| Reddit (r/AlaskaAirlines) | 67,000 | 181 | 43% |
| Facebook (Alaska Airlines Atmos Rewards) | 50,000 | 111 | 26% |
| US Card Forum | 28,000 | 48 | 11% |
| Others | 85 | 20% |
About 30% shared the quantum of their loss. The average was around 220,000 miles.
Act 3: Mode of Theft
The thefts almost universally showed the same characteristics. The pattern has been consistent since 2022.
- Accounts were compromised to book flights within days of travel.
- Flights were on partner airlines.
- Members’ notification emails were muzzled.
- In 96% of cases, the theft was discovered by the victim reviewing their account, who then told Alaska of the breach.
Act 4: Alaska’s Response Policy
Alaska’s responses to a theft were so consistent that they must undoubtedly be the product of a policy, also unchanged since 2022.
- Alaska reimburses the stolen points as a “one time courtesy.” This language leaves the victim in no doubt who Alaska blames for the theft.
- Victims are no longer able to book award travel online. They must call Alaska, verbally relay a PIN, which unlocks their account for online travel for 1 hour.
Act 5: The Industry Backdrop
A snapshot was taken with controlled search times to confirm what a cursory internet search shows indisputably:
Alaska is suffering uniquely from thefts at this scale.
Act 6: Tip of an Iceberg
The 425 victims are indisputably a fraction of the actual total. Few people post publicly of largely remediated matters that carry some embarrassment.
Which is why the USCardForum.com statistics were striking. 12,000 weekly visitors to a Chinese language forum where fewer than 5% of posts relate to Alaska produced 48 victims coming forward. Extrapolations of this number are not definitive, but hacked accounts in 2025 are indisputably in the thousands.
Act 7: The Criminal Marketplace
The miles are sold for extraordinary prices on the black market.
Using an admittedly extreme example, a $35,000 family of 4 trip to Barcelona can be had for less than $200.
The main report offers a host of insights from the 6 sellers found (though their integrity must be in question). All were found with a search on Google that located them in the open on Facebook.
Highlights include:
- “Ernest” only sells accounts that have been dormant for more than 3 years.
- “Akis” has an inventory of 3,000 accounts ready to go.
- “Asad” says his 6 man operation sells 50 to 60 Alaska accounts a week.
The revelation of their respective payment coordinates took the investigation upon a new path.
Act 8: The Money Trail
The various ETH and BTC wallets proffered for payment opened a new thread for the investigation. Some went straight to exchanges. Others entered a river of apparent illicit capital. 2 addresses ended up connecting with accounts where over $759 million has flowed through to KYC regulated exchanges.
This entire network appears to be a flurry of subpoenas away from dismantlement. Yet the lack of caution suggests the impunity under which they operate.
Act 9: Law Enforcement
Instinctively, one would think that an airline beset by attacks of this nature would pour time and resources into facilitating arrests, and duly publicise them widely as a loud deterrent. Victim accounts report rather the opposite.
The State of Alaska Attorney General recently challenged Alaska on their reticence to assist with law enforcement. Generously, one could say they operate with discretion.
Act 10: A Track Record of Discretion
The main report details half a dozen instances in Alaska’s filings where management reveals a notable predilection against disclosure.
The subject of member accounts being hacked has also been met with this customary silence.
There is no doubt management are aware of these thefts. The VP of Loyalty stated specifically that this had “visibility all the way up to our CEO.” The local press at Fox, Kiro7, and the Seattle Times have separately investigated this matter.
If it is implausible that management has no awareness of the thefts, it is also implausible that they have no awareness of the PIN lock system that follows an account compromise. It is such an encumbrance for their most loyal and lucrative customers that the CEO must have asked questions, and the additional expense must have drawn the CFO’s attention.
Act 11: The Riddle of the PIN Lock
Yet there it remains.
Why?
Consider the established customer service policy in response to a theft. Miles restored as a “one time courtesy.” Those very words attribute fault to the victim, and their password hygiene is commented upon by customer service representatives when the loss is reported.
Yet the PIN lock system is incongruent with a password defence. The presumably compromised password has been changed by the victim upon discovery, so the password is no longer the issue.
Logic dictates, then, that the vulnerability is not at the password.
Act 12: The Logical Breakdown
The customers, through the imposition of the stated “one time courtesy” refund, are led to believe that their password has been disclosed and that they are at fault for the theft. Yet upon discovery the password changes, so the compromised password is fresh. This makes the PIN lock nonsensical if the vulnerability were at the password.
Act 13: The Proof at Your Desk
You can prove the necessity of this measure yourself at your desk right now.
- Log in on 2 browsers.
- Change the password on 1 browser.
- Refresh the original one.
You will still be logged in. Changing the password does not remove anyone else who has a session cookie and is logged into your account. If the system does not invalidate sessions when the password changes, then a compromised account remains compromised.
The session cookie, however, reveals that it has an expiry date. Unfortunately, that expiry date is perpetually refreshed, maintaining the session cookie indefinitely, no matter how many password changes happen to the original account.
So if your account has been compromised and miles stolen, there is no point giving them back to you. They will be stolen again, as the hacker has ongoing access that cannot be removed by the victim. There are 2 solutions:
- Fix the system.
- Unplug the victim’s account from the system.
This reasoning reveals it is not just the password change that fails to terminate a session. The fact that Alaska does not cancel this token overwhelmingly suggests they cannot.
Act 14: Passwords Not Required
Most likely the session token is stateless. It is not capable of interacting with server side criteria.
Now, one could argue that the original sin remains: that the password was compromised and the victim is culpable. But those session cookies that allow access to the account are there for anyone to read.
Because that crucial session cookie is not HttpOnly. Nor does it have other defences against being read.
The HttpOnly flag has been a cornerstone of cybersecurity since 2008. Without it, all other scripts can read the cookie’s contents, and all Chrome extensions can read them too. With those cookies, they have your account.
This investigation observed 14 outside companies with session cookies on Alaska’s authenticated pages, and those companies do not have to be nefarious actors. If any 1 of them had any kind of breach at any time, that breach could inject code and sweep up every single Alaska Airlines member who logged in that day.
Yet it is not just the firms you need to worry about. It is any malicious actor who can inject their own code into these firms. Or indeed inject malicious code into Alaska’s website if there were, say, a security breach.
However, end users can still provide plenty of access even if their password security is beyond reproach, because with no HttpOnly flag on the session cookie, most Chrome extensions have broad enough permissions to read it too.
The full report contains further significant weaknesses in the IT architecture, but to bring it back to the layman’s understanding:
If anyone obtains this access to your account, they can change your email, phone number, and passport details, and there appears to be no way to ever turn them out. Implicitly, they follow your travels at every step.
Act 15: What Management Knows
It is inconceivable that management are not aware of this weakness. 4 years. For technical reasons, when an account is compromised and a session cookie is obtained, the cookie appears to have no expiry. Thus the PIN lock. Instead of remediating this, the customers have been blamed, inconvenienced, and their accounts sanctioned to hide this technical weakness.
If management are unaware, they must provide a vigorous argument as to why not.
Act 16: The Bridge to Price
The main report identifies 9 distinct factors that detail the impact upon the crown jewel of Alaska Air Group. Here we will just assert these allegations should have seismic implications on how consumers, partners, lenders and investors value Atmos Rewards.
Act 17: The LinkedIn Mysteries Answered
The questions that drew the author into this whole investigation can now be addressed with confidence.
Mystery 1: Why can Alaska not block these clearly fraudulent bookings and stop these thefts?
Because its systems cannot see them. The architecture that processes award redemptions has no fraud detection capability.
Mystery 2: What purpose could the mandatory telephone PIN booking forced upon the victim serve?
Compromised accounts are compromised indefinitely without the subterfuge of putting the blame on the victim and forcing them into the telephone system. The accounts would be drained every time they were replenished.
Mystery 3: Why would the fraudulent traveller take on such staggering risks?
Because flat bed flights almost anywhere in the world are cheaper than your taxi to the airport. And law enforcement are, as a matter of policy, not told of the thefts.
425 victims. An unknown multiple beyond.
A vulnerability unchanged for at least 4 years. A front door that remains, today, wide open.