FlightAware Data Leak Exposes Users’ Personal Information


The popular flight-tracking website FlightAware discovered a configuration error that exposed the sensitive personal information of its users.

The data leak included user IDs, passwords, and email addresses, and depending on the information provided by users may have also exposed full names, billing and shipping addresses, IP addresses, social media accounts, telephone numbers, birth years, partial credit card numbers, aircraft ownership details, industry, title, pilot status, and account activity such as flights viewed and comments posted.

EHA

The data leak potentially affects all FlightAware users who had accounts between January 1, 2021, and July 25, 2024. FlightAware has not disclosed the exact number of impacted individuals. However, as a precaution, the company requires all potentially affected users to reset their passwords.

Upon discovering the exposure, FlightAware stated they immediately fixed the configuration error. The company began notifying impacted users via email on August 15, 2024. In the breach notification, FlightAware provides affected individuals with details on the specific types of personal information exposed and offers 24 months of complimentary credit monitoring services.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

FlightAware users are advised to:

  • Reset passwords on their FlightAware account as well as any other accounts using the same password.
  • Change passwords to linked social media accounts that may have been exposed.
  • Consider using a password manager to create and store strong, unique passwords for each account.
  • Monitor credit reports and financial accounts for suspicious activity.
  • Notify their bank about the potential credit card information exposure and request a new card number.

Some users have expressed frustration about having to pay for a service only to have their data breached. There are also concerns about FlightAware’s data security practices, with some speculating that passwords may have been stored in plain text.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces



Source link