Add another one to the ones impacted.
Last night got an email swarm (1400 emails in an hour, signing up to new email lists, password resets from unknown sites, email enquiries and other things), was working through them and found the 'your details have been updated' from VFF without saying what. Then checked my profile, found they'd changed my email (slightly), and made a return booking for just a few hours ahead on Qatar, from Lagos, Nigeria to Doha.
Tried to get it cancelled before the flight, but contact centre and other channels had shut down and no means to contact anyone, so scammer customer likely got to fly. Called VFF this morning and they're going through the usual motions.
As for the cause, was wracking my brain and the only recent entry was when I was asked to supply my credentials in a Virgin lounge or on a flight.
As for the process enabling this, it's absolutely horrid. They should block such last minute redemptions from high risk regions as other air programs have done, or require it be done through a service centre so there can be more verification, which will cut down demand and therefore risk dramatically. Similarly, they could require email address updates to be done through a service centre with id verification instead of the 1 minute quick change, and then wild splurge with no fallback at all.
All simple to do, and all with outsized benefits to cost.