Update Sep 7th 2019 @ 09:05z: Flight1 has issued an email to users responding to the security breach we previously reported on. Here’s their statement in full.
Yesterday, September 5, 2019, Flight1 was notified that some of our customer data was found on the internet. We are sharing what we have discovered.
First, Flight1 is a data-minimum company. We do not store more data than what is required to provide our service and we do not use data for marketing purposes. We do not store credit card numbers with the exception of the last 4 digits so you can inquire about a sale. Credit card expiration dates and CCV verification numbers are NOT stored. Card processing data is passed directly to the processing gateway and is not retained in our database. All flight1.com account passwords are stored as secure 1-way hash codes using an advanced algorithm. Please see our terms of service page for more details on our data policies.
What was discovered:
An audit was completed and does not show any active exploit on our server or database. We have examined our server logs going back a full year. Discovered during the audit was a script (for viewing information on a product) where logs showed there were attempts to retrieve data using an automated bot. We believe this is where some data may have been leaked. Not all current accounts were affected and yours may not have been affected. That version of the script is no longer in use and has not been in use for months. In auditing the current version of the script no vulnerabilities were found (also verified in current logs).
What you should do:
Due to the strong 1-way hashing used we do not believe it is necessary for you to change your passwords, but you are welcome to do so. Flight1 recommends you always be vigilant on the Internet. Be aware of email phishing attempts. Flight1 NEVER sends unsolicited emails asking you to log in to our site, or ask for any payment information via email..
Whether you have been a customer of ours for 20+ years or are a new customer, know that security is always at the top of our list and will remain so. Thank you for your support and please feel free to contact us.
Original Article 6 Sep 2019 @ 06:49
According to a message that has appeared on Avast Hack Check, it would appear that data from Flight1 has been stolen as a database was breached. The alleged breach, according to Avast, would have happened on an unconfirmed date and would affect 152 482 accounts. The stolen data would contain e-mail addresses, as well as passwords, and the data would be shared privately on the internet.
We have reached out to Flight1 for a statement. They have told us they are looking into the alleged breach, but could not confirm anything has happened at this point in time, though they did express concern with the situation. They could however confirm, that even in the case of a breach, the site does not store useful payment information. No full creditcard numbers are stored, nor are any expiration dates or card verification numbers. PayPal data is also not stored by Flight1.
Flight1 also uses advanced one-way hashing methods to secure their passwords, so these should be safe as well in case of a breach. Furthermore, Flight1 wants to emphasise that they follow a ‘Data-Minimum‘ principle, so they only require the data necessary to complete a transaction or serve you. No additional data is required. The Flight1 data usage and privacy statement can also be found on their website.
We are sure the Flight1 team will follow up in case they find out anything more about the breach, as this is a legal requirement for some laws such as GDPR. Though Flight1 states that most of your data should stay secure (or useless for an attacker), it is never a bad idea to change your password just in case, and keep an eye on any suspicious e-mails you may receive. We will keep you up to date with the situation as we find out more.