Flight tracking site FlightAware blames a “configuration error” for exposing a trove of personal information, including some of its customers' Social Security numbers.
The company, which describes itself as the largest flight data aggregator, said in a notice on its website that it identified an unspecified error on July 25 and that names, email addresses and other information users provided to the company was exposed.
According to FlightAware, the exposed data includes “billing addresses, shipping addresses, IP addresses, social media accounts, phone numbers, dates of birth, the last four digits of credit card numbers, aircraft ownership information, industry, job title, pilot status (if any), and account activity (such as flights viewed and comments posted).”
In a separate notice to the California Attorney General's office, FlightAware said its investigation found that passwords and Social Security numbers had also been compromised.
As a result, the company said it is asking all affected users to reset their account passwords. FlightAware did not say in its notice whether or to what extent customers' stored passwords are encrypted.
The breach dates back more than three years to January 2021, according to a notice filed with the state.
The company's explanation for the configuration error suggests it was a mistake on its part, rather than a malicious cyber attack.
FlightAware has acknowledged that customer data was leaked, but it is unclear whether anyone accessed or removed the data, or whether the company has logs or other technical measures to determine whether anyone downloaded customer data.
FlightAware spokeswoman Kathleen Bangs did not respond to a request for comment or say how many customers would be affected.
FlightAware claims to have more than 10 million monthly users, according to its website.