[MISE A JOUR 07/09]
Flight1 a confirmé et réagi en envoyant un mail rassurant à tous les utilisateurs. Le niveau de sécurité élevé et le brouillage des mots de passe devraient faire en sorte que les données volées ne soient pas exploitables, donc nul besoin de faire quoi que ce soit.
Important Information:
Yesterday, September 5, 2019, Flight1 was notified that some of our customer data was found on the internet. We are posting what we have discovered.
First, Flight1 is a data-minimum company. We do not store more data than what is required to provide our service and we do not use data for marketing purposes. We do not store credit card numbers with the exception of the last 4 digits so you can inquire about a sale. Credit card expiration dates and CCV verification numbers are NOT stored. Card processing data is passed directly to the processing gateway and is not retained in our database. All flight1.com account passwords are stored as secure 1-way hash codes using an advanced algorithm. Please see our terms of service page for more details on our data policies.
What was discovered:
An audit was completed and does not show any active exploit on our server or database. We have examined our server logs going back a full year. Discovered during the audit was a script (for viewing information on a product) where logs showed there were attempts to retrieve data using an automated bot. We believe this is where some data may have been leaked. Not all current accounts were affected and yours may not have been affected. That version of the script is no longer in use and has not been in use for months. In auditing the current version of the script no vulnerabilities were found (also verified in current logs).
What you should do:
Due to the strong 1-way hashing used we do not believe it is necessary for you to change your passwords, but you are welcome to do so. Flight1 recommends you always be vigilant on the Internet. Be aware of email phishing attempts. Flight1 NEVER sends unsolicited emails asking you to log in to our site, or ask for any payment information via email..
In Summary:
Whether you have been a customer of ours for 20+ years or are a new customer, know that security is always at the top of our list and will remain so. Thank you for your support and please feel free to contact us.
[ARTICLE ORIGINAL 06/09]
D’après le site Avast Hack Check (site répertoriant en direct les sites victime de cyber attaques) , Flight1 aurait été victime d’un vol de données impliquant les mots de passe d’utilisateurs de plus de 150 000 comptes.
L’éditeur n’a à cette heure toujours pas réagi publiquement, mais que les clients se rassurent, Flight1 ne garde pas les informations complètes des cartes bancaires comme en témoigne cet extrait de leurs conditions d’utilisation:
Also, your full credit card number is not stored on our servers for both yours and our protection. We do not store card expiration dates or card verification numbers. When utilizing PayPal to make payments, none of your PayPal data goes through our servers as you enter login data directly on the PayPal site. We also do not store data based on your computer hardware on our servers.
Nous ne manquerons pas de vous informer des prochaines évolutions.
De manière générale, la politique de protection des données et le piratage en général est un problème auquel sont confrontés les éditeurs de logiciels et autres vendeurs depuis de nombreuses années. Le renforcement de la politique de protection des données (GPDR) et l’amélioration de la sécurité des serveurs est un défi constant tant les tiers mal intentionnés rivalisent d’ingéniosité pour arriver à leurs fins.
