FlightAware Leaks Customer Data (Name, Email Addresses and Passwords)

Title is incomplete/almost misleading: much more data than name, email, passwords is leaked:

   Depending on the information you provided, the information may also have included your full name, billing address, shipping address, IP address, social media accounts, telephone numbers, year of birth, last four digits of your credit card number, information about aircraft owned, industry, title, pilot status (yes/no), and your account activity (such as flights viewed and comments posted).

Sounded to me like most/everything associated with the profile is affected. Fortunately I didn’t use my account for anything that I can remember, and it used throwaway email and password.

FlightAware’s iOS app also just stopped supporting iOS 15 and, instead of just letting the old app continue to work, they did it with a full-screen modal telling iOS 15 users to fuck off and buy a new phone, preventing us from using the app that worked last week. Every other app on my phone gracefully continues to work on my old device except this one. This is absolutely bonkers and not the way any legitimate app does backwards compatibility. The developers over there are pretty clearly clowns that don’t know what they are doing.

I can confirm the veracity of the email. I got it myself. Note that they say they leaked passwords. They didn't mention whether they were hashed or not, and if so whether with salt or not. I couldn't find a blog post either. The notification email took more than 3 weeks, not impressed.

8 months ago, Flight aware wrote a blog post about moving their entire tech stack from TCL. The post is called "Managing a Technical Transformation (Part 1)". I couldn't find Part 2.

https://flightaware.engineering/managing-a-technical-transfo...

A few more links: https://www.404media.co/flightaware-exposed-pilots-and-users...

Automatic reply when replying to email: https://x.com/fergindc/status/1824648418544816222?t=vqjrPsqb...

https://x.com/josephfcox/status/1824192314991882545?t=IIZE0V...

Nowhere in the article says 'hashed' passwords, so I presume plaintext (!!!) passwords were leaked.

That's 100x worse than all the other data combined for two reasons: it can be devastating for users, and it's easily preventable (by not storing them in plaintext in the first place).

EDIT: Someone suggests stored passwords were hashed [1]. Hope they're right.

[1] https://news.ycombinator.com/item?id=41278855

Time for management to take the responsibility, that they so often raise as a point, when it comes to salary negotiations.

Possible pirate deviation.

Still nothing about it on the website. Only on the official Discourse:

https://discussions.flightaware.com/t/closing-account-due-th...

I have the FlightAware free account, but on occasion I’ve bought the Ad removal IAP, via Apple. What personal/billing information beyond my email address do they actually have from me?

The author of the article seems to be confused about the GDPR notification requirements. In the event of a personal data breach, the controller is required to notify the supervisory authority without undue delay, and where feasible, no later than 72 hours after becoming aware of the breach—not the users themselves. However, when it comes to informing end users, the GDPR requires that they be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms. It’s mind-boggling that FlightAware took three weeks to inform users, which raises concerns about their handling of the situation. It’s also suspicious that they haven’t clarified whether they are aware if the exposed data was actually copied by bad actors—one should assume it was.

Breaches are never going to stop because security is never a priority during an initial product release. It's always an after thought

Always always put in fake names emails etc when creating accounts. I do not know why anybody puts in their real names in the first place.

It's a bit disappointing how there's a total blackout from the company. Nothing on their website/blog/social media. Even the notification emails are arriving stagged over a period of 3 or more days.

Ah shit I just interviewed there

I have an ADS-B receiver. It's a hobby. I didn't get any notification yet.

Looks like I let my guard down with Flightware. Again, it's a hobby -- supposed to be a joy. I wrote some code to use TTS to play the departure, aircraft, and flight info so I can sit on my deck and enjoy as flights passed by.

Flightware has my exact location. Of course, so does Google via my phone. But this isn't supposed to be Google. It's a hobby.

And now my hobby is part of the sh*t world of Google and every other data hoarding sociopath enterprise.

I'll stop using piaware.

EDIT:

Logged in to Flightaware.com and got this:

Reset Your Password

Due to a data security incident that potentially involves your personal information and out of an abundance of caution, we are requiring you to reset your password. Additional information was sent to you via email. Please enter your FlightAware username or e-mail address below to reset your password:

Until there are significant financial damages associated with each of these breaches, companies just won't invest enough to secure the information. These sorts of breaches should be existential to the company- they should never happen. And yet because the penalties are almost nothing, companies just are not incentivized to secure the data appropriately.

If a breach meant the firing of the CEO and the CTO and the board, then you'd know that companies would spend a lot more on security and privacy.

Privacy amendment NOW.