• Home
  • cyber
  • OneFly, Airlines served by OneFly and Online Travel Agencies: Huge OneFly data breach sees traveler IDs and payment details leaked
cyber Breach

OneFly, Airlines served by OneFly and Online Travel Agencies: Huge OneFly data breach sees traveler IDs and payment details leaked

Oct 1, 2025 2 min read
OneFly, Airlines served by OneFly and Online Travel Agencies: Huge OneFly data breach sees traveler IDs and payment details leaked

OneFly Exposes Thousands of Sensitive Customer Records via Unsecured Elasticsearch Instance

Security researchers at Cybernews uncovered a significant data leak at OneFly, a global travel technology and flight content aggregator, exposing thousands of sensitive customer records through an unsecured Elasticsearch instance. The breach, detected in early October 2025, involved real-time exposure of data from nine internal Java Spring Applications, though the exact duration and total number of affected individuals remain unclear.

The leaked records included names, dates of birth, ID document details, flight information (numbers, prices, dates, destinations), full credit card details, and JWT tokens. Researchers identified approximately 10,000 ID records and 6,000 payment cards, describing the figure as a "rather minimal" estimate.

OneFly, which employs between 50 and 200 people, serves over 100 airlines and major online travel agencies (OTAs) worldwide, providing unified APIs for ticket inventories and pricing. The exposed data poses severe risks, including fraudulent transactions, identity theft, and phishing attacks targeting customers under the guise of airlines or travel agencies. Additionally, compromised JWT tokens could enable attackers to impersonate users and access internal systems.

Cybernews noted that the breach highlights the need for access control rules, refined logging processes, and IP whitelisting to prevent similar incidents. The company has not disclosed whether affected customers were notified.

Source: https://www.techradar.com/pro/security/huge-onefly-data-breach-sees-traveler-ids-and-payment-details-leaked

OneFly TPRM report: https://www.rankiteo.com/company/onefly-international-hongkong-limited

Airlines served by OneFly TPRM report: https://www.rankiteo.com/company/onefly-international-hongkong-limited

Online Travel Agencies TPRM report: https://www.rankiteo.com/company/yatra-online-pvt-ltd

"id": "yatone1770913859",
"linkid": "yatra-online-pvt-ltd, onefly-international-hongkong-limited",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Thousands (exact number '
                                              'unclear)',
                        'industry': 'Travel/Technology',
                        'location': 'Global',
                        'name': 'OneFly',
                        'size': '50-200 employees',
                        'type': 'Travel Technology and Flight Content '
                                'Aggregator'}],
 'attack_vector': 'Unsecured Elasticsearch Instance',
 'data_breach': {'number_of_records_exposed': 'Approximately 10,000 ID records '
                                              'and 6,000 payment cards',
                 'personally_identifiable_information': 'Names, dates of '
                                                        'birth, ID document '
                                                        'details, flight '
                                                        'information',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information',
                                              'Payment Information',
                                              'Authentication Tokens']},
 'date_detected': '2025-10-01',
 'description': 'Security researchers at Cybernews uncovered a significant '
                'data leak at OneFly, a global travel technology and flight '
                'content aggregator, exposing thousands of sensitive customer '
                'records through an unsecured Elasticsearch instance. The '
                'breach involved real-time exposure of data from nine internal '
                'Java Spring Applications, including names, dates of birth, ID '
                'document details, flight information, full credit card '
                'details, and JWT tokens.',
 'impact': {'brand_reputation_impact': 'Severe',
            'data_compromised': 'Names, dates of birth, ID document details, '
                                'flight information, full credit card details, '
                                'JWT tokens',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'Nine internal Java Spring Applications'},
 'lessons_learned': 'Need for access control rules, refined logging processes, '
                    'and IP whitelisting to prevent similar incidents.',
 'post_incident_analysis': {'root_causes': 'Misconfigured Elasticsearch '
                                           'instance, lack of access controls'},
 'recommendations': ['Implement access control rules',
                     'Refine logging processes',
                     'Enforce IP whitelisting'],
 'references': [{'source': 'Cybernews'}],
 'title': 'OneFly Exposes Thousands of Sensitive Customer Records via '
          'Unsecured Elasticsearch Instance',
 'type': 'Data Leak',
 'vulnerability_exploited': 'Misconfigured access control, lack of IP '
                            'whitelisting'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.