Top flight tracking app says customer info has been leaked online — see if you're affected

News
By
published

FlightAware kept sensitive data exposed online for years

airplane
(Image credit: Shutterstock)

FlightAware has become the latest in a long line of companies to have exposed sensitive customer data online by mistake.

The flight tracking website has sent a breach notification letter to affected customers, confirming that a “configuration error” discovered on July 25 2024 “may have inadvertently exposed” personal information people kept in their FlightAware accounts.

That information includes user IDs, passwords, and email addresses, and depending on the information the users left with the site, may also have included full names, billing addresses, shipping addresses, IP addresses, social media accounts, telephone numbers, year of birth, last four digits of their credit card number, information about aircraft owned, industry, title, pilot status (yes/no), and account activity (flights viewed and comments posted).

No evidence of theft

At the same time, the company filed a breach notification form with the California Attorney General’s Office, which states that the incident actually occurred on January 1, 2021, more than three years ago.

It isn't known exactly how many users were affected by the incident, but as of 2024, FlightAware says it has over 12 million registered users worldwide.

The platform is widely used for tracking flights in real-time, providing valuable information to aviation professionals, travelers, and enthusiasts alike. FlightAware's services span a variety of industries, including airlines, airports, and government agencies.

There is no evidence of misuse, the letter said, meaning there is a good chance that no one found it before FlightAware did. In any case, the company has forced its entire user base to reset their passwords out of caution.

The flight tracking website did not say to what extent the passwords are scrambled, if at all. Therefore, if someone obtained the archive, they could potentially cross-reference the login information with other services, since people often use the same username/password combo across a wide variety of services.

Via TechCrunch

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.