- OneFly leaked thousands of sensitive customer records via insecure Elasticsearch instance
- The data included names, IDs, flight details, full credit card information and JWT tokens.
- Cybernews recommends access controls, fine-grained logging and IP whitelisting to mitigate risks
Travel technology and flight content company OneFly has apparently leaked thousands of sensitive customer records online, including unedited payment information.
Security researchers from Cybernews said they recently discovered “thousands of records” leaking in real time from nine internal Java Spring applications, via an Elasticsearch instance.
The records include people’s names, dates of birth, ID details, flight numbers, ticket prices, dates, destination airports, full credit card details and JWT tokens.
How to mitigate risk
Cybernews said it was impossible to determine exactly when the data was generated or leaked, but evidence points to early October 2025. We also don’t know exactly how many people are affected by the breach, but researchers said they identified about 10,000 identity documents and 6,000 payment cards and called that number “rather minimal.”
OneFly is a travel technology and flight content company that primarily acts as a global travel content aggregator and airline ticket provider. It connects airlines, online travel agencies (OTAs) and travel technology partners through unified APIs to provide access to global ticket inventories, including low-cost airline fares and GDS/private fares.
This is by no means a small business. It has between 50 and 200 employees and reportedly serves over 100 carriers and major OTAs worldwide.
Besides the obvious – using payment data to make fraudulent wire transfers – cybercriminals can exploit this information in a number of ways. They can steal customers’ identities to obtain certain benefits, or contact customers by impersonating airlines and travel agencies.
“Additionally, exposed internal user authentication tokens can be used to impersonate the user to obtain more information from the company’s internal systems, since Elastic regularly logs currently valid tokens.” Cybernews explain.
To mitigate risk, organizations should configure access control rules and restrict access to application logs, refine logging processes, and implement IP whitelisting (or similar) while patching is underway.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
