FlightAware Exposed User Data for Years

Flight tracking giant FlightAware has revealed that a significant configuration error led to the exposure of sensitive user data for more than three years. The data breach, which the company discovered on July 25, 2024, dates back to January 2021.

The compromised data includes a wide range of personal information, such as names, email addresses, billing and shipping addresses, IP addresses, telephone numbers, social media accounts, and even the last four digits of users' credit card numbers.

Notably, sensitive details such as Social Security numbers and account passwords were also exposed, as reported by TechCrunch. The scale of the data breach raises serious concerns about the potential identity theft and unauthorized account access it could have led to.

FlightAware has informed affected users through a notice on its website and a filing with the California Attorney General’s office. The company emphasized that the breach resulted from a "configuration error" rather than a targeted cyberattack. However, it remains unclear whether any of the exposed data was accessed or exfiltrated by unauthorized parties during the three-year period.

In response to the breach, FlightAware has mandated a password reset for all affected users. The company is also offering a complimentary 24-month identity protection service through Equifax to help users safeguard against potential misuse of their information.

"Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password," FlightAware stated in its notice, urging users to take immediate action.

The scope of the breach remains under investigation, and no definitive numbers on how many users were impacted have been provided. FlightAware, which boasts more than 10 million monthly users, has yet to provide further details on the extent of the incident or the specific measures taken to prevent similar occurrences in the future.

As this story continues to develop, users are advised to monitor their accounts closely and report any suspicious activity to law enforcement authorities.

This incident comes amid increasing scrutiny of companies' data protection practices. Just last year, cybersecurity firm Avast was fined $16 million for selling user data without consent. As tech companies face mounting pressure to secure customer information, the FlightAware breach shows even minor lapses in configuration can have a meteoric impact on user privacy.