Airline Customer Data Left Exposed For Months

Uploaded on 2023-10-02 in FREE TO VIEW, BUSINESS-Services-Transport & Travel

The low-cost carrier Canadian Flair Airlines has exposed sensitive customer databases and email addresses for about seven months, increasing the risk of passengers’ personal information, including emails, names, or addresses, being accessed by criminals.

A malicious actor could use names in conjunction with addresses, emails, and phone numbers to commit identity theft by creating accounts on the person’s behalf without their consent. 

The exact amount and full contents of the exposed databases are currently unknown, although at least one subdomain was collecting private usernames, emails, phone numbers, and flight details. Researchers have issued several notifications about the flaw, warning that exposed files contain MySQL database credentials, the carrier’s email account credentials and secret tokens and app keys. 

An essential requirement in web development is to keep crucial .env files secure because they often contain sensitive information that could be used to compromise services or applications, as Cybernews researchers explain. “The publicly hosted .env files contained database and email configuration details. Database configurations revealed that one of the databases was exposed to the Internet, meaning anyone could potentially use these credentials to access sensitive information stored in this database.”

Right now, it is impossible to know if any malicious actors took advantage of the leak, but the public .env files were first observed in August 2022, meaning that they were accessible for almost seven months. 

The Cybernews research team discovered the leak at the beginning of 2023, and it reportedly took a few months of follow-up notifications until the vulnerability was resolved. “Leaks like this can often be a starting point for cyber criminals. Firstly, to research what information their target could store, what technologies and security measures they are using... Second, personal information could be used for phishing, identity thefts and other attacks, targeting individuals.” 

In this case, the database was hosted publicly, meaning that malicious actors could have accessed user information without exploiting any vulnerabilities.

Access to email credentials would allow an attacker to log in and send emails from compromised addresses, which is dangerous as it could be used to launch phishing attacks from official Flair Airlines email addresses, easily tricking victims into trusting them.

Security Affairs:    Aviation Source:     CBC:      TEISS:       I-HLS:      Cybernews:   

You Might Also Read:

Scandinavian Airline App Compromised:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Rapid Rise In DNS Attacks Demands New Approaches To Cyber Defense
British Royal Family's Website Targeted  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

Daon

Daon

Daon offers a universal biometric authentication platform for mobile devices.

International Telecommunication Union (ITU)

International Telecommunication Union (ITU)

ITU is the United Nations specialized agency for information and communication technologies – ICTs. Areas of activity include cybersecurity.

Redspin

Redspin

Redspin provide penetration testing, security assessments and consulting services.

Secude

Secude

SECUDE is an established global security solutions provider offering innovative data protection for SAP users.

Inter-American Cooperation Portal on Cyber-Crime

Inter-American Cooperation Portal on Cyber-Crime

The Inter-American Cooperation Portal on Cyber-Crime was created to facilitate and streamline cooperation and information exchange among government experts from OAS member states.

IAmI Authentications

IAmI Authentications

IAmI is a first in Tokenization Cloud-based IAM Security Services, delivering the most advanced form of Two-Factor Authentication.

Griffeshield

Griffeshield

Griffeshield is a company specialised in new information technologies used to protect Intellectual Property.

Communications & Information Technology Regulatory Authority (CITRA)

Communications & Information Technology Regulatory Authority (CITRA)

CITRA is responsible for overseeing the telecommunications sector, monitoring and protecting the interests of users and service providers, and regulating the services of telecomms networks in Kuwait.

Alcon Maddox

Alcon Maddox

Alcon Maddox is a niche recruitment and executive search firm specialised in sourcing exceptional Cyber Security sales and commercial leadership talent. Serving clients across the Middle East & Europe

Belcan

Belcan

Belcan is a global supplier of engineering, manufacturing & supply chain, workforce and government IT solutions to customers in the aerospace, defense, automotive, industrial, and private sector.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

Cyber Insurance Academy

Cyber Insurance Academy

Cyber Insurance Academy was founded to provide insurance professionals with the knowledge needed to work in cyber-insurance and cyber-related insurance fields.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.

Cybersecurity Elastic Laboratory (CEL)

Cybersecurity Elastic Laboratory (CEL)

CEL specialize in providing top-tier services in vulnerability diagnosis and penetration testing, offering a comprehensive suite of solutions to mitigate cyber risks.

Morrow Global Network

Morrow Global Network

Morrow is the global venture network for venture accelerators, studios, hubs, and their visionary leaders.