- OneFly leaked thousands of sensitive customer records through an unsecured Elasticsearch instance
- The data included names, IDs, flight details, complete credit card information, and JWT tokens.
- Cybernews Urges Access Controls, Refined Logs and IP Whitelists to Mitigate Risks
Travel technology and flight content company OneFly has apparently leaked thousands of confidential customer records online, including unredacted payment information.
security researchers cyber news They said they recently discovered “thousands of logs” leaked from nine internal Java Spring applications in real time, via an Elasticsearch instance.
The records include people’s names, dates of birth, identification document details, flight numbers, ticket prices, dates, destination airports, full credit card details and JWT tokens.
How to mitigate risk
cyber news said it was impossible to determine exactly when the data was generated or leaked, but evidence points to early October 2025. We also don’t know exactly how many people are affected by the breach, but researchers said they identified around 10,000 identification records and 6,000 payment cards and called this number “pretty minimal.”
OneFly is a travel technology and flight content company that primarily acts as a global travel content aggregator and airline ticket provider. It connects airlines, online travel agencies (OTAs), and travel technology partners through unified APIs to provide access to worldwide ticket inventories, including low-cost airline fares and GDS/private pricing.
It is by no means a small company. It has between 50 and 200 employees and apparently serves over 100 carriers and major OTAs around the world.
Besides the obvious (using payment data to make fraudulent wire transfers), there are different ways cybercriminals can abuse this information. They may steal customers’ identities to gain certain benefits, or they may reach customers by spoofing airlines and travel agencies.
“In addition, exposed internal user authentication tokens can be used to impersonate the user and obtain further information from the company’s internal systems, as Elastic periodically records currently valid tokens.” cyber news explained.
To mitigate risk, companies should configure access control rules and restrict access to application logs, refine logging processes, and implement IP whitelists (or something similar) while fixes are made.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
