Home ยป Thousands of customer IDs and full payment details leaked
Andrew Brookes / Avalon
Tech News

Thousands of customer IDs and full payment details leaked

by Simon Jones Tech Reporter
written by Simon Jones Tech Reporter 11th Feb 26 3:21 pm

The Cybernews research team has recently discovered thousands of records leaking from nine internal Java Spring Applications in real time through the Elasticsearch instance. According to the team, the data belongs to OneFly.

The Hong Kong-based outfit acts as a bridge between airlines and online travel agencies. We have reached out to OneFly for comment and will update this article once we receive a reply.

Our researchers first observed the leaking information in late October, with the earliest entries dated October 1st, 2025. Since Elasticsearch works best with real-time data, itโ€™s likely that the leak started in October. However, thereโ€™s no way to be 100% sure about the exact date when the data became public.

What records are included in the OneFly data leak?

The records our team discovered cover a large array of personally identifiable information (PII) as well as details about booked flights. According to our team, the OneFly data leak revealed:
  • Passenger names
  • Dates of birth
  • ID document details
  • Flight numbers
  • Ticket prices
  • Dates
  • Destination airports
  • Full credit card details
  • JWT tokens

The only silver lining is that the volume of the most sensitive exposed details, IDs, and payment cards is rather minimal. Our researchers identified around 10k ID records and 6k payment cards.

However, the exposed details can severely impact individuals whose data was left unprotected. Identification documents, together with other PII, enable attackers to steal victimsโ€™ identities.

Meanwhile, exposed payment card numbers, flight details, and other travel information can lead to financial losses due to theft and numerous travel scams, not to mention an increased risk of phishing. Armed with the leaked data, cybercriminals could convincingly impersonate travel agencies.

โ€œAdditionally, exposed internal user authentication tokens can be used for user impersonation to obtain more information from internal company systems, given that Elastic is regularly logging currently valid tokens,โ€ our team explained.

Cybernews researchers advise the company to:

  • Configure Access Control rules in order to restrict access to application logs to authorized personnel
  • Refine the logging processes in order to ensure that as little sensitive information as possible ends up in logs
  • Implement IP whitelisting or similar access restriction measures while the fixes are ongoing

More Like This:

Leave a Comment

You may also like

Digital ID checks become faster and more decisive as fraud...

UK ransomware volumes fall as โ€˜Big Game Huntersโ€™ focus on...

Cybersecurity becomes the UKโ€™s hottest tech skill as demand and...

UK firms urged to brace for potential Iranian cyber-attacks

Massive global KYC data leak exposes billions of personal records

High Court judge rules Capita data breach caused harm to...

CLOSE AD