Plane tracker app FlightAware admits user data exposed for years
Privacy blunder alert omits number of key details
Updated Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.
It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.
The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.
The full list of potentially impacted data points is below:
- User ID
- Password
- Email address
- Full name
- Billing address
- Shipping address
- IP address
- Social media accounts
- Telephone numbers
- Year of birth
- Last four digits of your credit card number
- Information about aircraft owned
- Industry
- Title
- Pilot status (yes/no)
- Account activity (such as flights viewed and comments posted)
- Social Security Number
How was this data exposed? Why were SSNs in there? We asked FlightAware and will update the story if it responds.
The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.
Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.
- National Public Data tells officials 'only' 1.3M people affected by intrusion
- After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
- Attacker steals personal data of 200K+ people with links to Arizona tech school
- Data pilfered from Pentagon IT supplier Leidos
"FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.
"Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."
It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.
It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax. ®
Updated to add on August 22
The folks at FlightAware have been in touch to clarify some of the details. They said "only 16 SSNs were potentially exposed."
"FlightAware does not intentionally collect SSNs, but these users mistakenly provided numbers formatted as SSNs in free-form fields," the biz said.
"We did not discover this fact until after we’d discovered the potential data exposure itself."
Also, the passwords were one-encrypted using a hash algorithm with salt: "Additionally, we can confirm that the passwords were hashed and salted, not stored in plaintext."