OneFly Data Leak Exposes Full Credit Card Details and ID Documents

Once upon a time, companies used to at least pretend that they were protecting your data. These days, some simply don’t bother anymore.

The Hong Kong-based travel consolidator, OneFly, just exposed thousands of sensitive passenger records, including full credit card numbers and government-issued IDs, through a database that literally anyone with the right IP address could access. Not even a “12345” password required.

Researchers at Cybernews discovered the breach in late October 2025, though the earliest logs show data leaking since October 1st. Calling this situation absurd doesn’t even seem to do it justice.

Another Travel Company That Couldn't Be Bothered

OneFly works as a business-to-business travel consolidator. They're the middleman between airlines and online travel agencies, handling flight bookings and passenger data for countless travelers who've probably never even heard of them.

This makes the breach even worse, because you might’ve not even chosen to trust OneFly with your data. Your travel agency could’ve done it for you, and your data might just be in that same unprotected database without you having the faintest idea.

The exposed database was an unsecured Elasticsearch instance connected to nine internal Java Spring applications. It had no encryption and no password protection, only thousands of records broadcasting in real time to anyone who knew where to look.

The leaks include full passenger names, birth dates, detailed ID document information, complete credit card numbers, flight numbers, ticket prices, destination airports, and JWT authentication tokens. Around 10,000 ID records and 6,000 payment cards were exposed, plus countless other travel details.

The Severity Cannot Be Overstated

I know, I know. Another week, another data breach. But this one's particularly nasty because of what attackers can do with the combination of data that was exposed.

Having your credit card number leaked is bad enough on its own. But when it's paired with your ID documents, flight details, and personal information, it opens the door to some seriously targeted fraud. Attackers are literally getting everything they need to convincingly impersonate legitimate travel agencies.

Think about it. They've got your upcoming flight details, your payment information, and enough personal data to sound completely legit when they contact you about "changes to your booking" or "special upgrade offers." The kind of phishing scams that actually work because they know exactly where you're flying and when.

And then there are government-issued IDs. Once they're out there, they're out there, and you won’t reset them. Identity theft, fraudulent accounts, synthetic identity schemes – all of it becomes a breeze for the criminals who have actual copies of your passport or driver's license.

The Pattern We Keep Ignoring

OneFly still hasn't provided an official comment or confirmed whether they've actually secured the database. Which tracks with the broader pattern of data breaches we've seen lately, where companies collect massive amounts of sensitive data, refuse to protect it properly, and then go radio silent when it inevitably leaks.

The travel industry seems particularly bad at this. Airlines, booking platforms, and consolidators like OneFly are all handling incredibly sensitive information about where you're going, when, and how you're paying for it. And they're all treating security like an afterthought.

The biggest absurdity is that this wasn't some sophisticated hack. Because there was nothing to hack. The database was just sitting there, completely open, for anyone to access. It’s difficult to even fathom what went on in the heads of the people making a decision to leave it all just like this. If there was any thought at all.

Either way, if you've booked travel through any online agency in the past half a year, you might want to keep an eye on your credit card statements and consider placing a fraud alert on your credit reports. Because in 2026, apparently we still can't trust companies to do the absolute bare minimum when it comes to protecting our data.