Popular flight tracking app FlightAware has admitted that it exposed the data of a large number of users for more than three years.

The company made the admission in a notice filed last week with California Attorney General Rob Bonta, saying the breach began on January 1, 2021, but wasn’t discovered until July 25 of this year.

The incident was attributed to an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points that you would expect in a breach, depending on what information the user has provided in their account.

Below is the full list of potentially affected data points:

• User ID

• Password

• Email address

• Full name

• Billing address

• Shipping address

• IP address

• Social media accounts

• Phone numbers

• Year of birth

• Last four digits of your credit card number

• Information about aircraft in possession

• Industry

• Title

• Pilot status (yes/no)

• Account activity (such as flights viewed and comments made)

• Citizen service number

How was this data exposed? We’ve reached out to FlightAware and will update the story if they respond.

The downside to reporting data breaches in California is that the state does not require companies to publicly disclose how many people have been affected, unlike, say, Maine, which does.

While we can’t determine the exact number of users affected, FlightAware reports that there are 12 million registered users. If they were all affected, that would be a significant security flaw indeed.

“FlightAware values ​​your privacy and deeply regrets that this incident occurred,” a letter sent to those affected reads.

“When we discovered the exposure, we immediately fixed the configuration error. As a precaution, we are also asking all potentially affected users to reset their password. You will be prompted to do this the next time you log in to FlightAware.”

It is common practice in these types of breach notifications to comment on whether the data in question has been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this issue.

It is also common for companies to offer free credit monitoring to users and that is the case here. Anyone who receives a letter from FlightAware stating that they may have been affected was offered two years of service through Equifax. ®