FlightAware has reported a data breach in which, among other things, usernames, email addresses, passwords, phone numbers and the last four digits of credit card numbers were exposed. FlightAware is the most popular commercial flight tracking service.

In an email to customers FlightAware tells us that nearly all of the personal data of an “unspecified number” of users may have been exposed for some time due to a “configuration error.” According to Strauss Borellia law firm investigating the data breach on behalf of FlightAware, said unauthorized parties may have accessed sensitive personal information on the service’s systems between January 1, 2021 and July 25, 2024.

This is in any case related to the users’ username, password, and email address. Depending on the additional information they added to their accounts, their full name, social media accounts, last four digits of their credit card number, social security number, home and IP address, phone number, year of birth, and account activity were also allegedly leaked. Account activity includes comments posted and trips viewed.

According to Flightaware, the configuration error was fixed immediately after it was discovered on July 25. Investigations are ongoing to determine whether the exposed data was exploited by malicious parties. The company did not mention whether the passwords were hashed and salted. However, it does state that all users should reset their passwords “as a precaution.”