Earlier today, numerous Reddit users took to the platform to discuss issues regarding a breach in their personal data. That thread saw users say that during the export process, they had received other users data including name, date of birth, and other sensitive data.
Reddit user Zocker23HD said, “I recently requested all my data, so [I] could move that to Simtoolkitpro. They sent all the files in json format, but one file called ‘User.json’ wasn’t mine. So I had someones Login name, Email, Country, Date of Birth and so on from a random person. I am legitimately [concerned] about the safety and privacy off all User’s Data.”
After this comment was posted, numerous Reddit users submitted various reports to us via our Submit News portal. Within minutes of seeing those requests, we sent the following email to projectFLY to understand the situation.
“We have received reports from a handful of community members regarding personal data requests from projectFLY.The concerns relate to data misused and shared with the wrong people. In particular, we’ve seen evidence of user’s requesting their own personal data but receiving data which relates to another individual. This included full name, email addresses, date of birth and other personal data. This is, of course, a great concern to the users involved.They have reached out to us to request a comment from projectFLY regarding the situation.We would really appreciate a response on the matter so that we can report fairly with all the facts.Should you require further details, please don’t hesitate to reach out.”
Whilst we didn’t get a response from the email, projectFLY has taken to social media to comment on the situation. [Brief update: projectFLY’s Luca has replied to our email with the same statement below] The statement read as follows:
“On the morning of the 10th June 2020, we were made aware that an unintentional change in our export data process, by a developer, resulted in a limited number of users being able to download data which was not theirs.
This data included their name, username, email and their encrypted password (to decrypt said password you would need access to the projectFLY server), among other less sensitive details such as the stream key (used to display the overlay), local ICAO and the dates the account was created and last logged in on and in 3 cases dates of birth. All users that have had details released have been emailed letting them know.
We take data protection very seriously and we quickly launched a full investigation into this. Access to said exported data has now been removed and have corrected the error in our export function. We have also reviewed our procedures for implementing new software that deals with sensitive data to ensure that this does not happen again.
We would like to reassure everyone that your raw password was not released and therefore no further action is required to secure your accounts, and if you have not received an email you have not been affected by this.
We apologise to those users that have had details leaked of the breach, and will happily answer any concerns or queries you have through a support ticket.”
You can read the full Reddit thread here.
Should any further information be shared, we’ll report on it.
Update: 15:00z – To clarify our stance on why we’ve reported on this particular subject. In our past article, we said that:
“To continue posting on FSElite about how Matt Davies / projectFLY / Mettar Simulations / projectFLY Systems Ltd needs money from the community at this point seems wrong. Going forward, it’s unlikely we’ll cover future posts regarding the availability of projectFLY or whether a new round of donation is required.”
As this information is not related to donations or downtime, we felt this was important to report upon.
Update: 15:35z – projectFLY has clarified their statement in regards to passwords.