FlightAware, the flight tracking service, warned that it might have accidentally leaked sensitive personal information. The company reported the breach as soon as it discovered it, and it’s now urging its users to change their passwords.
The FlightAware platform serves real-time flight-tracking data to its 13 million users, which include aircraft operators. Those accounts have been potentially compromised because of a bad configuration that dates back as far as January 1, 2021. FlightAware only discovered the problem on July 25, 2024, and notified the Office of the Attorney General promptly. “Please note that this notification was not delayed as a result of a law enforcement investigation,” the notification alert reads.
The company explained that all your personal info associated with your FlightAware account has potentially been exposed in this inadvertent data breach. That includes your account credentials, passwords, email, and username. But also other personal info that you shared with FlightAware. Your legal name, date of birth, digital and physical addresses, linked social media accounts, payment info, and social security number might have been leaked. Not everyone has shared every piece of that info, so the exposure could vary between users. For aircraft operators, their title, flight activity, and pilot status could also have been exposed.
Matt Davis, the president and general manager of FlightAware Inc, says he “deeply regrets that this incident occurred.” FlightAware has since patched the bad configuration file that caused this whole mess. It is also forcing people to change passwords. “Out of an abundance of caution, we are requiring you to reset your password,” the notification explained.
Since the breach went unnoticed for so many years, the company is offering free credit monitoring (powered by Equifax) to protect its customers against identity theft and fraud. It’s free for 24 months but it has to be enabled manually through promotion codes.
Source: State of California via Bleeping Computer
