Ktoś przejął kontrolę nad starym serwerem FR24, który choć stary, to wciąż dostępny był w internecie wraz ze słabo zahashowanymi danymi ludzi, którzy konto na FR zakładali przed 16 marca 2016.
Oto treść e-maila rozsyłanego do poszkodowanych:
I regret to inform you that late last week we identified a security breach that may have compromised the email addresses and hashed passwords (see explanation below) for a small subset of Flightradar24 users (those who registered prior to March 16, 2016), including you. While we do not have any indication that your information was accessed, we still want to sincerely apologize for the breach and let you know what we’re doing, and what we encourage you to do.
We do not store passwords in plain text on our servers. Instead we convert them into scrambled strings of characters (hashes) that are designed to be impossible to convert back. However, as a general precaution and because the hashing algorithm used in this retired part of our system no longer is considered sufficiently secure, we have decided to reset the passwords of all potentially affected users.
Click here to create a new password
If clicking the URL in this message does not work, just copy and paste it into the address bar of your browser. You can also visit flightradar24.com and use the password reset function at any time.
In case you’ve used the same password anywhere else, I strongly suggest you update it there as well.
Please note that no payment information has been compromised. Flightradar24 neither handles nor stores payment information. Instead, this is managed by our trusted partners Adyen and PayPal.
The security breach was limited to one server and it was promptly shut down once the intrusion attempt had been ascertained. Other actions, beyond the password reset for affected users, include a modern secure password hashing (in place since 2016) and further strengthening of access and authentication for our internal systems.
We take the protection of your information very seriously and will continue our thorough internal security review of our system and processes to see what more we can do to ensure that this never happens again. In order to comply with the EU’s General Data Protection Regulation (GDPR) article 33 (Notification of a personal data breach to the supervisory authority) we have also notified The Swedish Data Protection Authority (Flightradar24 is a Swedish company).
If you have any questions, I encourage you to contact us at firstname.lastname@example.org.