projectFLY User Data Leaked Following Change to Data Export Process
projectFLY has announced a data breach took place yesterday morning (GMT), which saw the details of user data given to the wrong recipient.
The leak in data was caused by a modification to the export process, which led to a "limited number" of users downloading data belonging to other users.
This included their name, username, email address, encrypted password, stream key, local ICAO airport code, and some other information.
"On the morning of the 10th June 2020, we were made aware that an unintentional change in our export data process, by a developer, resulted in a limited number of users being able to download data which was not theirs," projectFLY wrote to various social media channels, such as Facebook.
"This data included their name, username, email and their encrypted password (to decrypt said password you would need access to the projectFLY server), among other less sensitive details such as the stream key (used to display the overlay), local ICAO and the dates the account was created and last logged in on and in 3 cases dates of birth. All users that have had details released have been emailed letting them know."
projectFLY later updated their statement to say their passwords are stored using one-way hashing, replacing the part in brackets in the paragraph above.
"We take data protection very seriously and we quickly launched a full investigation into this. Access to said exported data has now been removed and have corrected the error in our export function. We have also reviewed our procedures for implementing new software that deals with sensitive data to ensure that this does not happen again.
"We would like to reassure everyone that your raw password was not released and therefore no further action is required to secure your accounts, and if you have not received an email you have not been affected by this.
"We apologise to those users that have had details leaked of the breach, and will happily answer any concerns or queries you have through a support ticket."
A Reddit thread was initiated a few hours earlier, pointing out about user accounts not being deleted upon request.
One user identified they had indeed received someone else's information, adding "I am legitimately concered about the safety and privacy off all User's Data."
Some have also expressed their concern in various communities for projectFLY's ability to be able to decrypt passwords, though specific details of how passwords are handled has not been stated.
projectFLY has since contacted the Information Commissioner's Office to report the incident. Replying to a user, projectFLY said: "After a lengthy phone call with them, they decided it wasn't necessary and just to keep a local copy of everything that happened and what we did to rectify it etc."
Version 4 of projectFLY - which was announced one year ago at FlightSimExpo 2019 - is still under development.