Flight tracking platform FlightAware is asking some users to reset their account login passwords due to a data security incident that may have exposed personal information.

The technology company is based in Houston, Texas and provides real-time as well as historical flight tracking data. FlightAware is considered the world’s largest flight-tracking platform with a network of 32,000 Automatic Dependent Surveillance-Broadcast (ADS-B) ground stations in 200 countries.

In a notification on the website of California’s Office of the Attorney General, the company informs that the date of the data security incident is January 1, 2021 and the cause was a configuration error.

The error was discovered on July 25, 2024, leaving personal user information exposed for more than three years. It is unclear if any of the data has been compromised.

“On July 25, 2024, we discovered a configuration error that may have inadvertently exposed your personal information in your FlightAware account, including user ID, password, and email address,” reads the notice.

Additionally, the following data types may have been compromised for some users, depending on whether people opted to add them on their accounts:

• Full name
• Billing address
• Shipping address
• IP address
• Social media account
• Telephone number
• Year of birth
• Last four digits of credit card number
• Information about aircraft owned
• Pilot status
• Industry and title
• Account activity (including flights viewed and comments posted)
• Social Security number (SSN)

FlightAware said that the configuration error has been remediated now, and all account holders whose data has been exposed will be prompted to reset their passwords on their next login to the platform.

“Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware.” – FlightAware

The service also provides a dedicated page for the users that want to reset their account password immediately, available here.

All users receiving the data security incident notification are offered a free-of-charge 24-month identity protection package through Equifax and are advised to report suspicious activity to their local law enforcement authorities.

Any user relying on the same credentials for logging into other online platforms should reset them there too as soon as possible to mitigate the risk of account hijacking via credential stuffing attacks.

BleepingComputer has asked FlightAware if they have evidence of unauthorized access and the number of impacted users, and we will update this post when we hear back.