back to article Plane tracker app FlightAware admits user data exposed for years

Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years. It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year. The …

  1. Zibob Silver badge

    Equifax

    "Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax."

    Oh so nothing to worry about there then, they have never "lost" customer info...

    1. sandy_al

      Re: Equifax

      I received the letter from FlightAware, No mention of Equifax.

      All it says is:-

      What Other Steps Can You Take?

      If there is anything FlightAware can do to further assist you, please email our Customer Support Center at privacy@flightaware.com or write to FlightAware - Attn:  Privacy, 11 Greenway Plaza, Suite 2900, Houston, TX 77046.

      1. Zibob Silver badge

        Re: Equifax

        Interesting. Definitely get in touch with them and ask for it. Another poster got the same an email saying it happened but no mention of Equifax, so something is amiss.

        1. Doctor Syntax Silver badge
          Flame

          Re: Equifax

          Frying pan and fire?

    2. TheBruce

      Re: Equifax

      I received an email but my email app said no valid message body or attachments were found???

  2. Red Sceptic
    Facepalm

    Just why …

    … would a flight tracking app need anyone’s SSN?

    1. TimMaher Silver badge
      Pint

      Re: Just why …

      Yeah, I was wondering that.

      Have a beer——>

    2. G40

      Re: Just why …

      KYC. Then they dropped the C and a whole lot more.

    3. Snake Silver badge
      FAIL

      Re: Just why …

      Probably because they asked. And the gullible sheep users happily *gave* them that info because they did, indeed, ask.

      Business is your friend. Always trust business.

      1. Goopy

        Re: Just why …

        They never asked me. My credit card info is I switched it to Google pay last year, so that's a randomly generated number for them it doesn't matter anyway I'm I unsubscribed I'll get to use the app until May of 2025.

        1. J__M__M

          Re: Just why …

          The question is why are you paying them money? Every flight trackers' preferred currency is ADSB data, so give them that instead.

    4. Goopy

      Re: Just why …

      That was the weird part cuz I've got a yearly subscription with them well I used to have a yearly subscription with them until 20 minutes ago, but they never needed my social security number.

      They got you know they lost the last four digits of my credit card which is okay because it's been updated since like around last year or so so that won't matter.

      But the social security number thing I don't get that at all.

    5. 142
      WTF?

      Re: Just why …

      Given that they seem to be saying that plaintext passwords were leaked, I presume they were also stupid enough to use SSN as a password recovery question.

    6. herman Silver badge

      Re: Just why …

      Americans are crazy handing out SINs. I don’t have one and I moved multiple times since starting to play with this system - so, no worries

    7. Doctor Syntax Silver badge

      Re: Just why …

      Demanding stuff like that and then losing control at scale is something that should attract mandatory fines and damages (with the latter taking priority) sufficient to wipe out the company. Shareholders can sue the manglement - but not, as seems to be normal practice, themselves, to try to get some money back.

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Odd... my notification e-mail from FlightAware made no mention of Equifax monitoring. They simply said "We're sorry, and we're requiring that you change your password." That's it.

  5. hamrag

    SSN?

    Why on earth would a flight tracking app need someones Social Security Number? I know yanks love using their SSN for all kinds of identification, but this seems ridiculous

    1. Kevin McMurtrie Silver badge

      Re: SSN?

      They're not supposed to have it or ask for it unless it's needed for government ID (income, taxes, etc.).

      1. Snake Silver badge

        Re: SSN?

        Businesses here ask for all sorts of personal information if they can get it, and people are stupid enough to just toe the line and fork it over on the whim.

        One of my doctors asked me for my driver's ID - err, no. Sorry, you're not getting it.

        But the thousands of other patients? Forked it over just because they were asked.

        1. Cav Bronze badge

          Re: SSN?

          I recently checked in for a hospital appointment, for me and only me. They asked for both my full SSN and that of my wife. We didn't provide either of them and my appointment still went ahead. I proved my ID with my drivers license and my health insurance with the appropriate card. That's all they needed. Just fishing for all they could get...

          1. DS999 Silver badge

            Re: SSN?

            My hospital never asks for ID. I just show up for an appointment and they ask my name and DOB and I'm checked in. If you haven't done the e-checkin then they give you a tablet a fill out stuff to update your current medical situation but you can waive that off, or at least they let my 86 year old mom avoid it. It seems like it would be so easy for me to get medical services on someone else's insurance by making an appointment under their name and all I'd need to get seen was their DOB. I could get an elective procedure that they'd eventually get billed for rather than me! Not sure but if I got a prescription and had them fill it in the hospital's pharmacy I might be able to tell them to "bill me" for the co-payment and walk out the door with some expensive medications.

            So while a hospital asking for your SSN is pretty extreme, I think there may be problems on the other end of the "identify yourself" spectrum. I'm sure you need to provide more information the first time you're seen at my hospital, but it appears as though once you're in their system there's an overabundance of trust.

            1. heyrick Silver badge

              Re: SSN?

              Here in France we have a medical card (Carte Vitale) that says who we are and what our rights are (universal basic coverage, top up policy, etc). Doctors, hospitals, pharmacies, just hand that over. I was once asked for my passport because my card is an ancient one without a photo. The woman looked at the name and date of birth. Matched the medical card. All she was interested in.

              We also have the GDPR that requires that information demanded is relevant, and not simply asked for because it can be.

        2. Throatwarbler Mangrove Silver badge
          Unhappy

          Re: SSN?

          Gosh, why would a doctor need definite proof that you are who you say you are? That's a stumper.

        3. An_Old_Dog Silver badge
          Flame

          Re: SSN?

          One day my bank asked me questions about my job with the cheery justification, "We're just updating our records."

          (No, you lying fuckers, you are not. The word 'updating' implies you have a particular piece of information to begin with. I certainly never gave you any info about my job; you're trying to deceive me into giving you that info, now.)

          I gave the clerk a brittle smile and cheerily intoned, "I don't give that out."

          1. Anonymous Coward
            Anonymous Coward

            Re: SSN?

            My credit card company annually asks for my income and debt information. It's so they can increase my credit limit despite me asking them not to. Despite being marked as "optional", there's no "no thanks" option, and they keep asking until you provide it. (Then repeat next year.)

            At one point I got fed up and told them I had no income and paid $999,999 per month on my mortgage. It's been a couple years, and nobody's said a word.

        4. Sitaram Chamarty

          Re: SSN?

          Same in India, and maybe worse too, because the government makes just enough noises to make people think Aadhaar number is mandatory for various things (e.g., getting a SIM card), but in fact all they need is *some* form of govt ID.

          I was asked for my Aadhaar number (aka Modi's version of "papers please" as far as I am concerned) to get a replacement SIM card. I refused and offered my drivers license. The semi-literate chap didn't know what to do and looked to his boss, who -- luckily (for me? for them?) -- seemed to know it was sufficient. But in the course of this episode I got to hear how "everyone gives it" and "he's never heard of anyone having problems with it" and so on.

          1. Wzrd1 Silver badge

            Re: SSN?

            "The semi-literate chap didn't know what to do and looked to his boss, who -- luckily (for me? for them?) -- seemed to know it was sufficient."

            Of course, you needed to provide your social security number to acquire that driver's license.

            1. herman Silver badge

              Re: SSN?

              If you are an illegal alien, then you can get a drivers license without a SSN

              1. spold Silver badge

                Re: SSN?

                ...well if you can fly a spaceship I guess they figure a car would be fairly simple.

              2. werdsmith Silver badge

                Re: SSN?

                I think they create a SSN for you are the time of issue of the licence. At least that's what they do when they issue an FAA pilots licence.

            2. DS999 Silver badge

              Re: SSN?

              I didn't even have a SSN when I got my driver's license, and haven't ever provided it since. I guess it varies by state, and some want to do more data collection than others.

              Not that its worth worrying about, my state already knows my SSN from my tax filings...

  6. Martin-R

    Passwords?!

    How on earth were actual passwords leaked? Please tell me they don't store the password instead of a hash...

    And no, I didn't get any offer of Equifax - perhaps that was only offered in the US?

    1. Wzrd1 Silver badge

      Re: Passwords?!

      I wonder if they've finally adopted that highly advanced security practice, you know, locking the doors after they leave for the evening.

      Storing password hashes, rather than passwords is only as basic.

      But, they're offering the same wonderful deal that OPM gave when they exposed every detail of every cleared DoD person, from SSN to well, the most intimate details of their lives and their fingerprints. Maybe next blunder, our entire genetic code can get leaked as well... Omitting one upside to the OPM debacle, with OPM at least I could apply for a PRC security clearance.

      And one upside for me at least, this one doesn't impact me, as I never got an account with these children of unacquainted parents.

      Hopefully, the fertility clinic cleans their test tubes better after these defectives were born.

      Still, never fear. The CEO will get the golden parachute and a new career opportunity to move onto another company to perform a similar disservice, like the locusts that still plague crops in some parts of the world. If only we had the corporate version of DDT...

  7. Anonymous Coward
    Anonymous Coward

    Two years of Equifax

    So, 12 years in total for me....

    1. John Brown (no body) Silver badge

      Re: Two years of Equifax

      That's something I've wondered about. Do these "free" account accumulate so you actually get more time or do the likes of Equifax just pocket the money and treat it as "already got an account, 18 months left on, start the new one now so only an extra 6 months". If they add on and accumulate, some people might end up with "free" lifetime cover.

  8. Anonymous Coward
    Anonymous Coward

    Oops

    I turned on FlightAware, I have been automatically logged out.

    I log back in, my subscription doesn't renew until May of 2025, so I'm going to enjoy the rest of my current subscription until then, but I have canceled my subscription I do not want to renew for $6 in May 2025.

  9. AbnormalChunks

    Feeder

    I too got an email from FlightAware as I'm feeding my Pi based ADSB receiver into their network. Luckily this gives me a free subscription so no financials involved however as a feeder there's some other info potentially exposed so not great. It seems as though FlightRadar24 is bigger on this side of the pond as they're EU based (the BBC always uses it for example) they've had DDoS type attacks before but no data breaches so far?

    1. Wzrd1 Silver badge

      Re: Feeder

      "...they've had DDoS type attacks before but no data breaches so far?"

      How would you know? Until the data is capitalized upon, it could still be out there waiting until just the perfect in opportune time to be utilized to your disadvantage.

      1. John Brown (no body) Silver badge

        Re: Feeder

        Being EU based, they are legally required to notify both their home governments relevant authority and the users in a timely manner. Failure to do so can get very expensive.

  10. andy the pessimist

    gdpr?

    They have an office in London. Would they be liable to gdpr?

  11. Jim Whitaker
    WTF?

    They can't **need** an SSN since I don't have one (British) but do have a subscription. Why are they storing passwords? And I had no mention of an Equifax subscription in the email.

    1. Doctor Syntax Silver badge

      "Why are they storing passwords?"

      To check on login. But it should be stored as a hash. It's possible that whoever announced what was leaked didn't know the difference between plain text and a hash. Most likely, of course, is that it's stored in plain text.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like