FlightAware Exposed User Emails and Passwords for 3.5 Years

FlightAware, a global leader in flight tracking services, has disclosed a data breach that may have exposed the personal information of its users.

The company reported that a configuration error discovered on July 25, 2024, inadvertently exposed sensitive data, including user IDs, passwords, email addresses, and potentially even Social Security Numbers.

FlightAware, headquartered in Houston, Texas, is a prominent provider of flight tracking services, catering to both commercial and private aviation. With millions of registered users worldwide, the company’s platform provides real-time flight tracking, historical data, and aviation insights. The potential exposure of such a broad spectrum of personal information raises concerns about the security of the platform and its users.

Incident details

The security incident was caused by a configuration error within FlightAware’s systems. While the company detected the issue on July 25, 2024, the breach notification sent to affected individuals indicates that the error may have existed since January 1, 2021.

This timeframe suggests that the exposed data might have been accessible for an extended period, though the exact duration remains unclear. We have reached out to FlightAware to confirm whether January 1, 2021, marks the beginning of the breach or simply the misconfiguration, but have not received a response yet.

The information potentially compromised includes a wide range of personal data:

• User ID, password, and email address
• Full name, billing and shipping addresses, IP address
• Social media accounts, telephone numbers, year of birth
• Last four digits of credit card numbers
• Information about aircraft ownership, industry, job title, and pilot status
• Account activity, such as flights viewed and comments posted
• Social Security Number

Notably, the breach notification does not specify whether the exposed passwords were stored in plaintext or encrypted, leaving users uncertain about the level of risk to their accounts.

The exact number of individuals affected by this breach remains unknown, as FlightAware has yet to disclose these details. The potential impact, however, is significant given the variety of sensitive data involved.

FlightAware’s response

FlightAware says it has taken action to rectify the configuration error, even if several years have passed since it was introduced. As a precautionary measure, the company is requiring all potentially affected users to reset their passwords upon their next login. Additionally, FlightAware is offering two years of complimentary credit monitoring services through Equifax to help users safeguard their financial information.

For those who may be impacted by this breach, FlightAware has provided several recommendations:

• Regularly check bank and credit card statements for any unauthorized activity.
• If you suspect identity theft, report it to the Federal Trade Commission.
• Obtain a free copy of your credit report from each of the three major credit reporting agencies.
• Consider placing a fraud alert or security freeze on your credit report to prevent unauthorized access.