Popular flight tracking website Flightradar24 has suffered a data breach that possibly compromised the email addresses and hashed passwords of a "small subset" of customers. Users have received emails requesting them to reset their passwords.
However, many took to social media and multiple forums questioning Flightradar24 over the veracity of the email, since the company did not publicly reveal any information regarding a breach via their blog or social media channels. The company later responded to customers' queries confirming that the email was genuine.
"We identified a security breach that may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016), including you," the email read. "While we do not have any indication that your information was accessed, we still want to sincerely apologize for the breach, and let you know what we're doing, and what we encourage you to do."
The Swedish-based company said the breach was limited to one server that was "promptly shut down" once the intrusion attempt was discovered.
The firm noted it does not store passwords in plain text on its servers, but converts them into hashes that are "designed to be impossible to convert back."
"However, as a general precaution and because the hashing algorithm used in this retired part of our system no longer is considered sufficiently secure, we have decided to reset the passwords of all potentially affected users," Flightradar24 said. Users who have chosen the same password across other platforms or services have been advised to change those as well.
Flightradar24 stated that no payment information was compromised in the breach since it neither handles or stores such data. Any payment-related data is managed by its partners Adyen and PayPal, it noted.
In addition to the password reset, the firm said it will implement a modern secure password hashing and further strengthen access and authentication for its internal systems.
"We take the protection of your information very seriously and will continue our thorough internal security review of our system and processes to see what more we can do to ensure that this never happens again," the company said.
In compliance with the EU's new General Data Protection Regulation (GDPR), Flightradar24 has notified the Swedish Data Protection Authority of the breach.