Malware
Long-standing FlightAware Configuration Blunder Exposes Sensitive User Data: Critical Security Breach Uncovered
Discover how a FlightAware configuration error led to years of user data leakage, potentially exposing sensitive information, including names, addresses, phone numbers, and more. Learn about the steps taken to resolve the issue and protect user privacy.
As a popular flight tracking platform, FlightAware has recently asked some users to reset their account login passwords due to a data security incident that may have exposed personal information. Based in Houston, Texas, FlightAware is considered the world’s largest flight-tracking platform, providing real-time as well as historical flight tracking data with a network of 32,000 Automatic Dependent Surveillance-Broadcast (ADS-B) ground stations in 200 countries.
Data Security Incident Details
According to a notification on the website of California’s Office of the Attorney General, the data security incident occurred on January 1, 2021, and was caused by a configuration error. Unfortunately, the error was only discovered on July 25, 2024, which means that personal user information could have been exposed for more than three years. It is still unclear if any of the data has indeed been compromised.
In the official notice, we learn that the exposed personal information may include user ID, password, and email address. Additionally, the following data types could have been compromised for some users, depending on whether they opted to add them to their accounts:
- Full name
- Billing address
- Shipping address
- IP address
- Social media account
- Telephone number
- Year of birth
- Last four digits of credit card number
- Information about aircraft owned
- Pilot status
- Industry and title
- Account activity (including flights viewed and comments posted)
- Social Security number (SSN)
Response and Recommendations
FlightAware has taken steps to address the configuration error and has prompted all account holders whose data may have been exposed to reset their passwords on their next login to the platform. They have also set up a dedicated page for users who wish to reset their account password immediately.
As a precaution, all users receiving the data security incident notification are being offered a free 24-month identity protection package through Equifax. They are also advised to report any suspicious activity to their local law enforcement authorities.
It’s crucial for users who have reused the same credentials for logging into other online platforms to reset them as soon as possible to mitigate the risk of account hijacking via credential stuffing attacks.
What You Can Do
As we continue to investigate this incident and await further information from FlightAware, it’s essential for users to remain vigilant and take the necessary steps to protect their personal information. If you’ve been affected by this data security incident or have concerns about your online security, don’t hesitate to contact us for assistance and guidance. Remember, staying informed and proactive is the key to safeguarding your digital life, so keep coming back to learn more about the latest developments in cybersecurity.