And this was their explanation:
We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.
This is complete BS. While yes, I realize that it’s common for people to reuse passwords, I use a password manager to generate unique passwords for each of my online accounts, so it’s impossible for “login information relating to a different online service” to have provided access to my British Airways account (well, okay, it’s not completely impossible, but I can’t imagine that there’s an underlying predictability in the randomness of the passwords generated by my password manager that allowed hackers to generate the password that I would have used for my BA account).
Of course, it’s much more convenient for them to blame someone else rather than admitting that they themselves were hacked, which is what they’re doing.
Two thoughts on online security:
1) You really should use a password management system. Reusing passwords is kinda a big deal. It can’t always help you (like in this case), but it does give me confidence that none of my other online accounts were hacked since I haven’t used my BA password for any other accounts.
2) You should use two-factor authentication for any service that offers it. For example, email, Twitter, Facebook, financial accounts, etc.
Okay, I’m done preaching and ranting.