Just to clarify in case someone assumes the same thing I did from the headline: it isn't the Facebook account that gets stolen, but the airline website account.
I've seen that meme get passed around Facebook for several different airlines, several times. It's always so lazy too "this company that's been around for 60 years is turning 88! Wow get your free tickets because thats what companies do when they turn 88!"
I thought the point was about the risks of posting images of boarding passes on the internet. Where they happen to be posted seems irrelevant to me, but whatever.
It seems the attacker/pen-tester got access to the guy's passport number. I wonder how easy it would be to do identify theft and gain entry into other accounts.