Canadian Flair Airlines left sensitive databases and email credentials exposed for over seven months. The data leak, involving publicly accessible environment files on the flyflair.com website, posed significant risks to passenger information.
Furthermore, the exposed .env files revealed MySQL database credentials, SMTP configurations, and more. While it remains unclear if malicious actors took advantage of the breach, incidents like these can be a starting point for cybercriminals, potentially leading to phishing attacks and identity theft.
Additionally, the leak, first observed and indexed in August 2022, persisted for nearly seven months before being discovered on February 27th, 2023. It took several months of follow-up notifications, including to the Canadian Computer Emergency Response Team (CERT), to resolve the vulnerability. Although the exact extent of the data exposure remains uncertain, at least one subdomain collecting private user information for group travel bookings was affected, including names, emails, phone numbers, flight details, and additional personal data.
The potential consequences of this data leak are substantial, as cybercriminals could exploit it in various ways, from researching targets and launching phishing attacks to compromising sensitive information.
