One of the largest flight tracking services, Flightradar24, which shows real-time airplane locations on the map has suffered a massive data breach that may have leaked emails and encrypted passwords of over 230,000 users.
The company began sending email to the users earlier this week, asking them to change their passwords. Flightradar24’s incomplete announcement about the issue has upset many users.
The emails sent by the company asking users to change their passwords contained a password reset links, which were suspicious to users, thinking it was a phishing attempt.
“I regret to inform you that late last week we identified a security breach that may have compromised the email addresses and hashed passwords … for a small subset of Flightradar24 users (those who registered prior to March 16, 2016), including you,” the email said.
However, the relevant Twitter statements and the company forum later confirmed the breach and that the password reset links are indeed genuine. Flightradar24 also assured users that no personal or card data was stolen.
The company further stated that all passwords that were leaked were encrypted, however, it is unclear exactly which hashing algorithm was used. To protect accounts, Flightradar24 has disabled old passwords, and the access is only possible when using the password reset link. In addition, it is recommended to change the password from other online services if you are using the same email and password.
Katie Carty Tierney, senior director, global sales engineering at WhiteHat Security commented on the issue and stated that:
“The Flightradar24 security incident is an important reminder that our personal information is constantly at risk. WhiteHat Security’s annual Application Security Statistics Report looks at ‘windows of exposure’ across industries each year. What is consistently alarming is the high rate of web applications that are ‘always vulnerable,’ which means an application is vulnerable on every single day of the year.”
“Companies should be implementing stronger password protection practices, but as users, we need to take precautions too. Even if the passwords were hashed, like in the cases of the Flightradar24 and recent MyHeritage breaches, it’s still important to be proactive. If your password for each website is unique, good job, you’re one of the few people that use a different password for each service they log into. It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur,” said Tierney.
Tierney also shared valuable tips for readers to secure their online presence:
1.“Don’t use the same password for all sites and apps. If one site or app is breached, all of your accounts are effectively breached. At the very least, use a variety of passwords to minimize the impact
2. Turn on two- factor authentication for any app that supports it. It can be a pain, yes, but it’s also one of the best ways to protect your accounts
3. Only log into sites that use SSL; you’ll know this by checking if there is an ‘https://’ before the rest of the URL
4. Don’t click on any links or attachments in instant messages or emails. As tempting as they might look, you really are rolling the dice with your personal security.”