Bei ProjectFly kam es in den vergangenen Tagen zu einer Datenpanne. Ein User, der seine gespeicherten Daten von ProjectFly wollte, um sie in Simtoolkitpro (Anm.der.Red: Ein Konkurrenztool zu ProjectFly) zu importieren, bekam eine Datei mit Daten zugeschickt, die von einer dritten Person stammten. Das beschrieb der User zumindest auf Reddit :
Funny thing about GDPR and ProjectFly. I recently requested all my data, so i could move that to Simtoolkitpro. They sent all the files in json format, but one file called “User.json” wasnt mine. So I had someones Loginname, Email, Country, Date of Birth and so on from a random person. I am legitimately concered about the safety and privacy off all User’s Data.
Nach einem langen Thread auf Reddit, in dem mehrere User ähnliche Daten-bezogene Probleme schildern, folgte von ProjectFly umgehend eine Stellungnahme auf Facebook. Darin bestätigt das Team um Matt Davies, dass es tatsächlich zur vom Reddit-User genannten Datenpanne gekommen sei: “Einer begrenzten Anzahl von Nutzern” wäre es möglich gewesen, fremde Daten herunterzuladen, schreibt ProjectFly. Bei diesen Daten wäre neben Namen, Username, Email unter anderem auch das verschlüsselte Passwort und Stream-Key dabei gewesen. Gleichzeitig erklären die Entwickler, dass das rohe Passwort niemals zu sehen gewesen sei und daher kein weiteres Handeln nötig wäre, um die Accounts zu sichern. Jeder User, der von dieser Panne betroffen sei, wäre laut ProjectFly schon angeschrieben worden.
Hier das ganze Statement im originalen Wortlaut:
Dear All,
On the morning of the 10th June 2020, we were made aware that an unintentional change in our export data process, by a developer, resulted in a limited number of users being able to download data which was not theirs.
This data included their name, username, email and their encrypted password (using one-way hashing), among other less sensitive details such as the stream key (used to display the overlay), local ICAO and the dates the account was created and last logged in on and in 3 cases dates of birth. All users that have had details released have been emailed letting them know.
We take data protection very seriously and we quickly launched a full investigation into this. Access to said exported data has now been removed and have corrected the error in our export function. We have also reviewed our procedures for implementing new software that deals with sensitive data to ensure that this does not happen again.
We would like to reassure everyone that your raw password was not released and therefore no further action is required to secure your accounts, and if you have not received an email you have not been affected by this.
We apologise to those users that have had details leaked of the breach, and will happily answer any concerns or queries you have through a support ticket.
Kind Regards,
The projectFLY Team
