Flightaware security breach

NoHeat

Final Approach
Joined
Jul 27, 2009
Messages
5,032
Location
Iowa City, IA
Display Name

Display name:
17
Got this email from Flightaware:

On July 25, 2024, we discovered a configuration error that may have inadvertently exposed your personal information in your FlightAware account, including user ID, password, and email address. Depending on the information you provided, the information may also have included your full name, billing address, shipping address, IP address, social media accounts, telephone numbers, year of birth, last four digits of your credit card number, information about aircraft owned, industry, title, pilot status (yes/no), and your account activity (such as flights viewed and comments posted).​
What We Are Doing?​
FlightAware values your privacy and deeply regrets that this incident occurred. Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password.​
 
How can they expose my password, I wonder? I thought that passwords are are normally encrypted on servers.
 
How can they expose my password, I wonder? I thought that passwords are are normally encrypted on servers.
Yes, but if you can get ahold of the encrypted file, there is a good chance many could be cracked, depending on how strong an encryption algorithm was used in the first place
 
When I become president, $1 billion fine per person for any company that has a security breach of sensitive data. I’m sick of it.
That would take us back to the Stone Age right quickly.
 
Passwords are "normally" encrypted as you say, but that doesn't mean that everyone does that. You have no way of knowing whether any particular website does or not. Hackers can also use rainbow tables where they have precomputed the encrypted version of millions/billions of common passwords and they can just search the password file to see if there are any matches. There are ways to mitigate that (such as salting the passwords) but, again, you don't know if the website is doing that.
 
How can they expose my password, I wonder? I thought that passwords are are normally encrypted on servers.

If by "normally" you mean "usually" then yes. But "usually" doesn't mean "always". And they could be decryptable or crackable especially if they're not using industry best practices.
 
When I become president, $1 billion fine per person for any company that has a security breach of sensitive data. I’m sick of it.
How about a simple $2000 to each affected person for the actions they now have to take to protect indentify and account information instead.
 
For those that did not receive the email, does that mean they are not affected?
Asking for a friend.
 
Passwords are "normally" encrypted as you say, but that doesn't mean that everyone does that. You have no way of knowing whether any particular website does or not. Hackers can also use rainbow tables where they have precomputed the encrypted version of millions/billions of common passwords and they can just search the password file to see if there are any matches. There are ways to mitigate that (such as salting the passwords) but, again, you don't know if the website is doing that.
One-way hashed password and salted to avoid use of rainbow tables. Too easy to do and can't imagine any reasonably sophisticated company like Foreflight not doing this. Interesting. I never got the notification.

Sent from my SM-S918U using Tapatalk
 
When I become president, $1 billion fine per person for any company that has a security breach of sensitive data. I’m sick of it.
Fine schmine. That’s like pocket change to some. Houzabout a real ‘deterent.’ Use your imagination
 
For those that did not receive the email, does that mean they are not affected?
Asking for a friend.
It means your friend's email was already hacked. The hackers intercepted the warning and deleted it so your friend would never know.
 
That would take us back to the Stone Age right quickly.
On the plus side, we wouldn't have to worry about computer hacking any more then.
 
When I become president, $1 billion fine per person for any company that has a security breach of sensitive data. I’m sick of it.
Nah, the hackers responsible should be held in stocks in the public square and then punished severely. Same for the spam call overlords.
 
One-way hashed password and salted to avoid use of rainbow tables. Too easy to do and can't imagine any reasonably sophisticated company like Foreflight not doing this. Interesting. I never got the notification.

Sent from my SM-S918U using Tapatalk
The original post references Flightaware.
 
I have a real love/hate relationship with tech. For context, I'm so old that my 600-page PhD thesis was produced on a typewriter (at least it was an electric typewriter, but my term papers in college were produced on a manual typewriter before electric typewriters became common--yes, I'm THAT old). And graphics didn't get to the point where they were helpful until I was well into my career.

On the one hand, tech does, in fact, make life a lot easier and more efficient....when it works like it's supposed to. But it sure has introduced a lot of negative things into our lives, too. I guess it's all relative. Those of you who grew up in a post-tech world (i.e., after personal computers became common) don't know any different.
 
When I become president, $1 billion fine per person for any company that has a security breach of sensitive data. I’m sick of it.
If I were the president of this land, I'd declare total war on the hacker man.
hackerman.jpg
 
When I become president, $1 billion fine per person for any company that has a security breach of sensitive data. I’m sick of it.
I'll back that if the law includes the death penalty for anyone committing these security breaches.
I seem to remember a Clancy novel (I think) where we bombed a building in China where a hacking group was based. I liked that concept.
 
I missed it - what is the risk of having our login to FlightAware compromised?
I don't believe their is anything of value there.
 
On the one hand, tech does, in fact, make life a lot easier and more efficient....when it works like it's supposed to. But it sure has introduced a lot of negative things into our lives, too. I guess it's all relative. Those of you who grew up in a post-tech world (i.e., after personal computers became common) don't know any different.
I've often thought computers and the "ease" of versioning just meant you spent the same amount of time on a project, but the number of options created/reviewed went up by a factor of 10. When, in fact, you knew the optimum solution was probably in one of the first 3 options you generated...
 
The only risk I can see is if you used the same password on multiple sites…

Which is why one needs a three-part password (at minimum). One part that's standard across all passwords. One that can increment as each service requires its own update schedule. And one part that's unique to each site. If each of these parts is four characters long, you'll have a minimum password length of twelve.
 
The only risk I can see is if you used the same password on multiple sites…

Dang. That means they can get into my POA account too.

Whoops, different username and email adrress for the two. I’ll mark myself safe from this breach.
 
It’s quite annoying, but you can control who has what data of yours. Do you need to always gives your full name address phone email etc. Something to think about, you cannot control their systems and the users who have access to them. All of the hotel chains also had data leaks too.
 
Back
Top