- OneFly leaked thousands of sensitive customer records via an unsecured Elasticsearch instance
- Data included names, IDs, flight details, full credit card details and JWT tokens
- Cybernews encourages access control, refined logging and IP whitelisting to mitigate risks
Travel technology and flight content company OneFly has apparently leaked thousands of sensitive customer records, including unredacted payment information, online.
Security researchers from Cyber news said they recently discovered “thousands of records” leaking from nine internal Java Spring applications in real-time through an Elasticsearch instance.
The records include people’s names, dates of birth, ID document information, flight numbers, ticket prices, dates, destination airports, full credit card information, and JWT tokens.
How to reduce risk
Cyber news said it was impossible to determine exactly when the data was generated or leaked, but evidence points to early October 2025. We also don’t know exactly how many people are affected by the breach, but the researchers said they identified about 10,000 ID records and 6,000 payment cards, calling that number “pretty minimal.”
OneFly is a travel technology and flight content company that operates primarily as a global travel content aggregator and airline ticketing provider. It connects airlines, online travel agencies (OTAs) and travel technology partners through unified APIs to provide access to worldwide ticket inventories, including low-cost carriers and GDS/private fares.
It is by no means a small business. It has between 50 and 200 employees and apparently serves more than 100 airlines and major OTAs worldwide.
Besides the obvious – using payment data to make fraudulent bank transfers – there are various ways in which cybercriminals can misuse this information. They can steal customer identities to gain certain benefits, or they can reach out to customers spoofing airlines and travel agencies.
“Additionally, exposed internal user authentication tokens can be used for user impersonation to obtain more information from internal enterprise systems, given that Elastic regularly logs currently valid tokens.” Cyber news explained.
To mitigate the risk, companies should configure access control rules and restrict access to application logs, refine the logging processes, and implement IP whitelisting (or similar) while the fixes are in progress.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
