I can confirm the veracity of the email. I got it myself. Note that they say they leaked passwords. They didn't mention whether they were hashed or not, and if so whether with salt or not. I couldn't find a blog post either. The notification email took more than 3 weeks, not impressed.
As someone who used to work there, the passwords were definitely stored salted and hashed in the database.
The email mostly makes it sound like what’s in the user account table, though last 4 of credit card I didn’t think was in it. And mentioning passwords, not salted/hashed passwords, makes me think it was more.
I’m wondering if this is an Apache or Apache Rivet issue that possibly intercepted everything you sent to the server, which could then be your actual password if you logged in during the timeframe or even credit card if you bought something.
Also Rivet was full of footguns. IIRC, variables would exist for the life of the Apache child, so you had to clear them out or the next request had access to them, so if someone deleted or didn’t run the huge “delete all variables we probably set” proc, and someone was able to get an “info var” output, they’d see everything set in the previous request or further back if nothing overrode it. Like user info, which was just stored in a big global “user” array
I don't think there's anything about tcl that is inherently insecure, but it indicates that the code might be quite old and from a time where many vulnerabilities and ways to avoid them were not well understood.
Tcl and Rivet to me says the code is from the 1990s or 2000s. Does FlightAware go back that far? Otherwise I am surprised at those choices for anything newer.
2005. There was still code and pages dating back to then running and being used. But over the years, more and more was built on top of it rather than a different stack.
Frontend code would vary with whatever flavor a developer liked at the time, but the backend was still always going through Rivet/TCL.
ICs would complain about it but the founders cashed out to the tune of 9 figures in the end, so it worked out for them.
I’ll agree that TCL isn’t inherently insecure, but you aren’t getting any libraries or frameworks with it either to make your life easier or safer.
The website still looks like the TCL monster it has always been, so I doubt it. But I have no intimate knowledge of the inner workings there soon after the Raytheon buyout.
Oh it is owned by Raytheon a huge listed company. That makes it more surprising that the communication is so bad. I'd expect a public company with market cap of $150b to have its act together regarding crisis communication.
It's part of Collins Aerospace which was bought by United Technologies which merged with Raytheon. Having been part of a merger with RTX, generally your IT systems change and that's about it. Most of management stays and as long as your group is hitting numbers, no one from RTX gives a shit what's going on. My guess if you called up RTX CEO and asked him for a comment about FlightAware, he's not aware he evens owns the site.
Also, Raytheon doesn't ever talk to the public. Most of the work is classified so yea, crisis communication involving the general public, internally, they are clueless.
It's terrible for end users, bit to be fair here a domain that sends little mail suddenly sending a lot looks like spam. Ciscos sender base for example graphs long term volume per domain as a key indicator, and their data feeds into several mail services. You're much more likely to at least get the email this way.
I can't confirm that's the reason, but I don't see why they would drip send it otherwise. Also the reply-to email is bounces+MYEMAILADDRESS@bounces.flightaware.com (@ replaced by =)
