Users of FlightAware, the world’s largest flight-tracking platform, are being prompted to change their login credentials following a reported “data security incident.”
According to FlightAware, the breach may have leaked sensitive customer information. The problem was discovered on 25 July, but it’s possible that it’s been ongoing since January 2021.
Company officials say they believe it may have resulted from a “bad configuration,” which has since been fixed.
FlightAware Hasn’t Disclosed the Number of People Affected
FlightAware submitted a breach notification to the California Office of the Attorney General immediately upon the discovery of the breach.
The company also sent out a letter to customers notifying them that the data leak could have exposed a wide range of personal information.
“FlightAware values your privacy and deeply regrets that this incident occurred. Once we discovered the exposure, we immediately remedied the configuration error.”
Matt Davis, FlightAware President
“FlightAware values your privacy and deeply regrets that this incident occurred,” FlightAware president Matt Davis said in the letter. “Once we discovered the exposure, we immediately remedied the configuration error.”
The list of potentially compromised personal data includes:
- User IDs
- Passwords
- Email addresses
- Full names
- Billing addresses
- IP addresses
- Social media accounts
- Phone numbers
- Years of birth
- The last four digits of credit card numbers
- Social Security Numbers
Additionally, aircraft operators might have had titles, aircraft ownership details, account activity, flight activity, and pilot status compromised.
FlightAware has not revealed the exact number of customers affected. However, company officials tell London-based technology news publication The Register that “only 16 Social Security Numbers were potentially exposed.”
FlightAware also confirmed to The Register that passwords “were hashed and salted, not stored in plaintext,” reducing the risk of immediate misuse.
It is important to note that not every FlightAware user was affected by the breach. The site offers four membership tiers, including a free “basic” level that requires only your name and email address.
Taking Action to Mitigate the Damage
Upon discovering the breach, FlightAware immediately reported it to California’s Office of the Attorney General. The company is requiring customers to change their passwords, which users will be prompted to do upon their next login. You can also do it now via this page.
FlightAware is also partnering with Equifax to offer two years of free credit monitoring services to help protect customers from potential identity theft and fraud.
Finally, officials also recommend that you update your credentials on any other sites where the same information might have been used.
Despite FlightAware’s quick fix, officials have not offered an explanation as to why it waited over a week to notify the public of the breach following its discovery on 25 July. However, it did disclose that the delay was “not due to a law enforcement investigation.”
About FlightAware
Headquartered in Houston, Tex., FlightAware launched in 2005 and has over 12 million users. It operates 32,000 automatic dependent surveillance-broadcast (ADS-B) ground stations in 200 countries. In 2021, it was acquired by Charlotte, NC-based Collins Aerospace.
