Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users’ data for more than three years.

It made the admission via a notification filed last week with Rob Bonta, California’s attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.

The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you’d expect to see in a breach, depending on what information the user provided in their account.

The full list of potentially impacted data points is below:

• User ID
• Password
• Email address
• Full name
• Billing address
• Shipping address
• IP address
• Social media accounts
• Telephone numbers
• Year of birth
• Last four digits of your credit card number
• Information about aircraft owned
• Industry
• Title
• Pilot status (yes/no)
• Account activity (such as flights viewed and comments posted)
• Social Security Number

How was this data exposed? We asked FlightAware and will update the story if it responds.

The downside of filing data leak notifications in California is that the state doesn’t require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.

Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.

“FlightAware values your privacy and deeply regrets that this incident occurred,” it wrote in a letter being sent to affected individuals.

“Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware.”

It’s typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.

It’s also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax.