Share
Business-to-business travel consolidator OneFly has left thousands of sensitive passenger records exposed to the open web.
The travel company, which provides services to travel agencies and airlines, suffered a significant data leak that remained active for months.
Researchers at Cybernews discovered the vulnerability in late October 2025, though logs indicate the exposure began as early as October 1st.
The leak originated from an unprotected Elasticsearch instance. This database was connected to nine internal Java Spring applications, which were inadvertently broadcasting private data in real time. Because the instance lacked password protection, anyone with the correct IP address could access the information.
The scale of the data taken is extensive and highly sensitive. Leaked records include full passenger names, dates of birth, and detailed ID document information. Critically, the breach also exposed full credit card details, flight numbers, ticket prices, and destination airports.
Furthermore, the leak contained JSON Web Tokens (JWTs), which are digital credentials that could allow attackers to bypass security and access user accounts without a password.
This combination of data creates a “perfect storm” for cybercriminals. With access to identification documents and personal identifiers, hackers can easily commit identity theft.
Meanwhile, the exposure of flight details and payment numbers makes victims primary targets for travel-related scams and financial theft. Armed with such specific travel history, a criminal could convincingly impersonate a travel agent or airline representative to conduct sophisticated phishing attacks.
For those concerned about their data, the first step is to monitor financial statements closely. If you have used a travel agency that utilizes OneFly’s B2B services, you should consider freezing your credit cards and requesting replacements.
Since passport and ID details were leaked, victims should also remain vigilant against suspicious emails or phone calls that reference specific flight numbers or booking dates.
OneFly has not yet provided an official comment on the breach or confirmed if the database has been fully secured. Experts advise all travellers to enable two-factor authentication on their travel and email accounts to mitigate the risk posed by the leaked digital tokens.
Related Posts
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.