Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.
It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.
The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.
The full list of potentially impacted data points is below:
User ID
Password
Email address
Full name
Billing address
Shipping address
IP address
Social media accounts
Telephone numbers
Year of birth
Last four digits of your credit card number
Information about aircraft owned
Industry
Title
Pilot status (yes/no)
Account activity (such as flights viewed and comments posted)
Social Security Number
- National Public Data tells officials 'only' 1.3M people affected by intrusion
- After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
- Attacker steals personal data of 200K+ people with links to Arizona tech school
- Data pilfered from Pentagon IT supplier Leidos
How was this data exposed? We asked FlightAware and will update the story if it responds.
The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.
Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.
"FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.
"Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."
It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.
It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax. ®