ADVERTISEMENT

Travelers beware: thousands of customer IDs and full payment details leaked

OneFly, a business-to-business (B2B) travel consolidation service, has exposed thousands of sensitive records, including ID documents, flight numbers, and full credit card details.

OneFly data leak expose customer data

Image by Cybernews.

Vilius Petkauskas
Vilius Petkauskas Deputy Editor
Feb 11, 2026 Updated: 11 February 2026 2 min read
Key takeaways:
OneFly data leak sample
Leaking flight booking information, includes passenger info, payment method and flight details. Image by Cybernews.

What records are included in the OneFly data leak?

  • Passenger names
  • Dates of birth
  • ID document details
  • Flight numbers
  • Ticket prices
  • Dates
  • Destination airports
  • Full credit card details
  • JWT tokens
OneFly data leak sample
Leaking internal user JWT authentication token. Image by Cybernews.
ADVERTISEMENT
OneFly data leak sample
Decoded JWT token. Image by Cybernews.
  • Configure Access Control rules in order to restrict access to application logs to authorized personnel
  • Refine the logging processes in order to ensure that as little sensitive information as possible ends up in logs
  • Implement IP whitelisting or similar access restriction measures while the fixes are ongoing

  • Leak discovered: October 28th, 2025
  • Initial disclosure: October 31st, 2025
  • CERT contacted: November 12th, 2025

ADVERTISEMENT