Probably not unethical if the people they were stolen from can prove they didn’t sell them (which may be a big if for some hacked accounts) or are definitely rich enough not to be adversely effected in any meaningful way regardless. But it seems you wouldn’t be able to use them for anything that requires ID anyway:
Obviously, stolen airline miles aren’t usually spent on actual airfare or hotel bookings—purchases that require proof of ID.
But many reward programs allow account holders to redeem points at local retailers, often through gift cards. In March last year, for example, Air Miles alerted members that points stolen from members were used to buy products from participating retailers. Members aren’t required to enter a password or PIN number when spending points, and retail staff often don’t ask for an ID. Due to the lack of verification, frequent flyer miles have become a profitable target for hackers and thieves. And because most of us don’t use or check our frequent flyer accounts very often, the theft can go unnoticed for months.
This happened to me this morning. And because the link was from a work email but I was logged in on my personal account, Edge wanted me to sign in to view it, requiring time-wasted on a 2FA process for no good reason whatsoever (obv I just closed Edge and copied the link over to Firefox).
The loss of productivity is large regardless of which method you choose to view the link. May this be the beginning of the end for Microsoft. I am fuming.