Content |
History
2022: User Data Leak
Travel planning service OneTwoTrip has confirmed the existence of a vulnerability that caused a data leak. The company also announced on August 24, 2022 that the fault had been fixed.
On August 2, 2022, information security researcher Bob Dyachenko wrote about the open OneTwoTrip database in his Twitter blog. According to the expert, information about e-mail, names, passports, phones, payment information, travel and passwords was in the public domain.
For several days, it is alleged that an elasticsearch server with information about the company's clients was freely available. The exact number of leaked data is unknown, usually part of the data that was processed on these dates falls into such indices. It is currently unknown whether the leaked information was downloaded and processed.
According to Dyachenko, the CTO of OneTwoTrip attributed this to "a change made a few days ago that violated firewall rules and provoked the opening of the port."
At the moment, we record that there is no leakage of personal data of OneTwoTrip customers. There was a vulnerability, we fixed it. The database with client data was not vulnerable. The vulnerability concerned data on the activity of some users of the service in a short period of time. Among the vulnerable data were not those that are necessary for entering the personal account and customer card data, the company said in a statement quoted by RIA Novosti on August 24, 2022. |
The service added that nothing threatens the personal data of customers. Representatives of OneTwoTrip did not disclose the number of users whose data was compromised.[1]