- OneFly leaked thousands of sensitive customer records via unsecured Elasticsearch instance
- Data included names, IDs, flight details, full credit card info, and JWT tokens
- Cybernews urges access controls, refined logging, and IP whitelisting to mitigate risks
Travel technology and flight content company OneFly has apparently leaked thousands of sensitive customer records, including unedited payment information, online.
Security researchers from Cybernews said they recently discovered “thousands of records” leaking from nine internal Java Spring Applications in real-time, through an Elasticsearch instance.
The records include people’s names, dates of birth, ID document details, flight numbers, ticket prices, dates, destination airports, full credit card details, and JWT tokens.
How to mitigate the risk
Cybernews said it was impossible to determine exactly when the data was generated, or leaked, but evidence points to early October, 2025. We also don’t know exactly how many people are affected by the breach, but the researchers said they identified around 10,000 ID records and 6,000 payment cards and called this number “rather minimal”.
OneFly is a travel technology and flight content company that acts mainly as a global travel content aggregator and air-ticket supplier. It connects airlines, online travel agencies (OTAs) and travel tech partners through unified APIs to provide access to worldwide ticket inventories, including low-cost carrier fares and GDS/private pricing.
It is, by no means, a small company. It has between 50 and 200 employees, and apparently serves more than 100 carriers and major OTAs worldwide.
Besides the obvious – using payment data to make fraudulent wire transfers – there are different ways in which cybercriminals can abuse this information. They can steal customer identities to gain certain advantages, or they can reach out to the customers spoofing airlines and travel agencies.
“Additionally, exposed internal user authentication tokens can be used for user impersonation to obtain more information from internal company systems, given that Elastic is regularly logging currently valid tokens,” Cybernews explained.
To mitigate the risk, businesses should configure Access Control rules and restrict access to application logs, refine the logging processes, and implement IP whitelisting (or similar) while the fixes are ongoing.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-2560-80.jpg
Source link
