OneFly, a business-to-business (B2B) travel consolidation service, has exposed thousands of sensitive records, including ID documents, flight numbers, and full credit card details.
-
OneFly exposed approximately thousands of ID documents and payment cards through an unsecured instance.
-
The leaked data includes passenger names, birth dates, flight details, full credit card numbers, and authentication tokens.
-
Cybercriminals can use the exposed information for identity theft, financial fraud, phishing attacks, and impersonating legitimate travel agencies.
-
Researchers recommend OneFly implement access controls, refine logging processes, and establish IP whitelisting.
The Cybernews research team has recently discovered thousands of records leaking from nine internal Java Spring Applications in real time through the Elasticsearch instance. According to the team, the data belongs to OneFly.
The Hong Kong-based outfit acts as a bridge between airlines and online travel agencies. We have reached out to OneFly for comment and will update this article once we receive a reply.
Our researchers first observed the leaking information in late October, with the earliest entries dated October 1st, 2025. Since Elasticsearch works best with real-time data, it’s likely that the leak started in October. However, there’s no way to be 100% sure about the exact date when the data became public.
What records are included in the OneFly data leak?
The records our team discovered cover a large array of personally identifiable information (PII) as well as details about booked flights. According to our team, the OneFly data leak revealed:
- Passenger names
- Dates of birth
- ID document details
- Flight numbers
- Ticket prices
- Dates
- Destination airports
- Full credit card details
- JWT tokens
The only silver lining is that the volume of the most sensitive exposed details, IDs, and payment cards is rather minimal. Our researchers identified around 10k ID records and 6k payment cards.
However, the exposed details can severely impact individuals whose data was left unprotected. Identification documents, together with other PII, enable attackers to steal victims’ identities.
Meanwhile, exposed payment card numbers, flight details, and other travel information can lead to financial losses due to theft and numerous travel scams, not to mention an increased risk of phishing. Armed with the leaked data, cybercriminals could convincingly impersonate travel agencies.
“Additionally, exposed internal user authentication tokens can be used for user impersonation to obtain more information from internal company systems, given that Elastic is regularly logging currently valid tokens,” our team explained.
Our researchers advise the company to:
- Configure Access Control rules in order to restrict access to application logs to authorized personnel
- Refine the logging processes in order to ensure that as little sensitive information as possible ends up in logs
- Implement IP whitelisting or similar access restriction measures while the fixes are ongoing
- Leak discovered: October 28th, 2025
- Initial disclosure: October 31st, 2025
- CERT contacted: November 12th, 2025
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked