27,000 UnEncrypted Credit Cards left in shared Database by Thefly.com

Today a hacker who uses the twitter handle @0x55Taylor posted some screen shots of a breach that was happening at that time, since then i have spoken to them about this breach which appears to affect all users who register at thefly.com a leading digital publisher of real-time financial news between 2006 and 2015.

@0x55Taylor has shared the data they obtained from the breach which was a 2.6gb sql file named theflyonthewall.com.sql that is a complete export/dump of a mysql database. The breach it self has been possible due to another website, not related to thefly.com that had a vulnerability that allowed the hacker to access thefly.com database as well as 7 other databases that belong to other unrelated sites. The breached data contains clear text credit card numbers along with the associated names, addresses and expirys of over 27,000 of its users from 2006-2015. The leak in total contains over 100,000 user accounts but only about 27,000 of them have links to credit card details which are stored in complete clear text.


The credit card details exposed in the breach appear to mostly be very old with data raning from 2006 up to 2015. Thefly.com offers its users 2 plans ranging from 364usd to 624usd annually which gives them access to breaking news, trending topics and stock movements.

Thefly also has a pretty funky privacy policy which these days is very common, but considering they have been breached and exposed as storing clear text data then its any wonder if the following piece from the privacy statement on their website is actually telling any truth at all.

Security of Personal Information
Any personal information you provide to this website is kept on secure servers. TheFly.com uses reasonable administrative and technical measures to safeguard personal information against loss, theft, unauthorized use, disclosure, or modification. To help us protect your privacy, you should maintain the secrecy of your logon ID and password for this website.

At time of publishing i had not heard back from anyone @ thefly.com and according to 0x55Taylor the database has been deleted.

About the author: Lee J

Security Analyst, Developer, OSINT, https://www.ctrlbox.com

Comments are closed.