Huge OneFly data breach sees traveler IDs and payment details leaked

News
By published

Full payment data, in cleartext, was leaked

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • OneFly leaked thousands of sensitive customer records via unsecured Elasticsearch instance
  • Data included names, IDs, flight details, full credit card info, and JWT tokens
  • Cybernews urges access controls, refined logging, and IP whitelisting to mitigate risks

Travel technology and flight content company OneFly has apparently leaked thousands of sensitive customer records, including unedited payment information, online.

Security researchers from Cybernews said they recently discovered “thousands of records” leaking from nine internal Java Spring Applications in real-time, through an Elasticsearch instance.

The records include people’s names, dates of birth, ID document details, flight numbers, ticket prices, dates, destination airports, full credit card details, and JWT tokens.

How to mitigate the risk

Cybernews said it was impossible to determine exactly when the data was generated, or leaked, but evidence points to early October, 2025. We also don’t know exactly how many people are affected by the breach, but the researchers said they identified around 10,000 ID records and 6,000 payment cards and called this number “rather minimal”.

OneFly is a travel technology and flight content company that acts mainly as a global travel content aggregator and air-ticket supplier. It connects airlines, online travel agencies (OTAs) and travel tech partners through unified APIs to provide access to worldwide ticket inventories, including low-cost carrier fares and GDS/private pricing.

It is, by no means, a small company. It has between 50 and 200 employees, and apparently serves more than 100 carriers and major OTAs worldwide.

Besides the obvious - using payment data to make fraudulent wire transfers - there are different ways in which cybercriminals can abuse this information. They can steal customer identities to gain certain advantages, or they can reach out to the customers spoofing airlines and travel agencies.

“Additionally, exposed internal user authentication tokens can be used for user impersonation to obtain more information from internal company systems, given that Elastic is regularly logging currently valid tokens,” Cybernews explained.

To mitigate the risk, businesses should configure Access Control rules and restrict access to application logs, refine the logging processes, and implement IP whitelisting (or similar) while the fixes are ongoing.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.