FR24 Security Breach

[Anmer]

I'm sharing the message I received just now from FR24.  Maybe changing your password is a good idea, irrespective of when you signed up:

Dear Flightradar24 user,

I regret to inform you that late last week we identified a security breach that may have compromised the email addresses and hashed passwords (see explanation below) for a small subset of Flightradar24 users (those who registered prior to March 16, 2016), including you. While we do not have any indication that your information was accessed, we still want to sincerely apologize for the breach and let you know what we're doing, and what we encourage you to do.
 
We do not store passwords in plain text on our servers. Instead we convert them into scrambled strings of characters (hashes) that are designed to be impossible to convert back. However, as a general precaution and because the hashing algorithm used in this retired part of our system no longer is considered sufficiently secure, we have decided to reset the passwords of all potentially affected users.
Click here to create a new password

Link Removed

If clicking the URL in this message does not work, just copy and paste it into the address bar of your browser. You can also visit flightradar24.com and use the password reset function at any time.

In case you've used the same password anywhere else, I strongly suggest you update it there as well.
 
Please note that no payment information has been compromised. Flightradar24 neither handles nor stores payment information. Instead, this is managed by our trusted partners Adyen and PayPal.
 
The security breach was limited to one server and it was promptly shut down once the intrusion attempt had been ascertained. Other actions, beyond the password reset for affected users, include a modern secure password hashing (in place since 2016) and further strengthening of access and authentication for our internal systems.
 
We take the protection of your information very seriously and will continue our thorough internal security review of our system and processes to see what more we can do to ensure that this never happens again. In order to comply with the EU's General Data Protection Regulation (GDPR) article 33 (Notification of a personal data breach to the supervisory authority) we have also notified The Swedish Data Protection Authority (Flightradar24 is a Swedish company).
 
If you have any questions, I encourage you to contact us at support@fr24.com.
 
Sincerely,
Fredrik Lindahl
CEO, Flightradar24

[Keef]

I got that email and I have a couple of comments.

First, I never click on reset password links in emails unless I requested the reset myself and was expecting the email as it is a common phishing method, advice I would give to everybody. I wasn't too impressed with that method of communicating a password reset, better to say log in to the site and change your password.

Second, I couldn't find a way to reset my password or even view my account details when I visited the FR24 site.
There is a cookie set which automatically logs me in, which is fine, but I couldn't see any way to get to my account to change the password or request a reset.

I ended up going to FR24 using a different browser (too lazy to track down and delete the cookie) and then on the homepage there is a reset password option which I used.

Seems strange I can't find a way to reset my password when I'm logged in. Maybe there is a way but if there is they've made it very hard to find (for me at least).

I like FR24 and send them data so I'm not just bashing them, only airing my thoughts.

Cheers,

Keef.

[Anmer]

Seems strange I can't find a way to reset my password when I'm logged in. Maybe there is a way but if there is they've made it very hard to find (for me at least).

You should be able to see the "Change Password" option if you select the account type, top right.  You may need to set the page to show the top menu bar using the full screen toggle icon on the right hand side menu, below the gear icon.

[Attachment deleted by Admin to save file space]

[Keef]

Thanks Anmer,

It was the full screen option that I needed to deselect to see the account option.

I still think sending out password reset links in a mass email is a bad idea though.

Cheers,

Keef.