Aug 21, 2024 12:30:00

Flight tracking service 'FlightAware' reveals that a configuration error has led to the leaking of user personal information for several years

FlightAware , a real-time flight tracking and search site that lets you search and track any flight, is urging some users to change their account passwords after it was discovered to have leaked personal information from users over a multi-year period.

FlightAware
(PDF file) https://static.flightaware.com/pdf/fa_data_notification.pdf

FlightAware configuration error leaked user data for years
https://www.bleepingcomputer.com/news/security/flightaware-configuration-error-leaked-user-data-for-years/

FlightAware warns that some customers' info has been 'exposed,' including Social Security numbers | TechCrunch
https://techcrunch.com/2024/08/19/flightaware-warns-that-some-customers-info-has-been-exposed-including-social-security-numbers/

FlightAware is based in Houston, Texas, USA, and provides the world's largest flight tracking service using Automatic Dependent Surveillance-Broadcast (ADS-B) at 32,000 points in 200 countries. FlightAware was founded in 2005 and was acquired by aerospace technology developer Collins Aerospace in August 2021. FlightAware has more than 10 million monthly active users.

FlightAware reported on the official website of the California Attorney General's Office that a configuration error that occurred on January 1, 2021 caused users' personal information, such as user IDs, passwords, and email addresses, to be leaked. The configuration error was discovered on July 25, 2024, so personal information had been accessible to anyone for more than three years, but it is unclear at the time of writing whether the data was actually leaked. In addition, details of the problematic 'configuration error' have not been disclosed at the time of writing.

Additionally, the following data may have also been exposed, depending on whether the user added it to their FlightAware account:

·full name
·Billing Address
・Shipping address
・IP address
Social media accounts
·telephone number
·year of birth
・The last four digits of your credit card number
- Information about your aircraft
・Pilot status
・Industry and job title
-Account activity (including flights viewed and comments posted)
·social security number

FlightAware said it has fixed the configuration error and will prompt all potentially compromised account holders to reset their passwords the next time they log in. FlightAware also has a dedicated password reset page to allow users to quickly change their passwords. Users who receive notification of the data breach will receive a free 24-month identity protection package via Equifax.

Reset Password - FlightAware
https://www.flightaware.com/account/reset

Users who have used the same compromised credentials on other online platforms are advised to reset their passwords as soon as possible to reduce the risk of account takeover.

BleepingComputer has asked FlightAware about the number of users who may have been affected by the data leak, but has not received a response at the time of writing.