April 4, 2014 • RBS

Categories: Security News

A hacker who goes by the handle ‘MrNervous’ or ‘WhiteHatMrNervous’ has been up to some questionable activities earlier this year which has resulted in data being leaked and a business being given a very short time to pay a “bounty” to fix a vulnerability.

WhiteHatMrNervous has posted that the Flight Centre Travel Group had been contacted by him/her about a breach that occurred on the 9th of February in which s/he had tried to advise the IT staff of the issue and how it should be resolved, but requested a US$5,000 “bounty” for the information. After waiting for only one day without a reply, s/he published two site databases on various file hosting websites: and

The two databases have resulted in very different types of data becoming public, both via a very common but not very published method. Like this case, many hackers are finding vulnerabilities in web sites, extracting data, and asking for a payout to tell the site how to fix the data. If no money is forthcoming, then the data gets posted publicly to shame the company

This is not the first time we have seen methods like this used, but normally the waiting period between requesting the bounty (or as many see it “attempted extortion”) is typically a lot more than one day. The breach was first posted to the hacker’s blog on the 10th then later to pastebin on the 14th of February and 17th of March. That means this data has been floating around online for several weeks now.

In a statement by the self-proclaimed “whitehat” hacker posted on the 17th, s/he stated the motivation behind the breach is that companies are ignoring requests for such bounty payments or to even speak to the volunteer “penetration-testers”. Rather than work with the person trying to help them (to some degree), they have been sent DMCA take-down notices over previous leaked databases pushing them to focus on the Flight Centre Travel Group.

This aggravated the whole situation and the pentester is now focussed on Flight Centre Travel Group of companies to find flaws in all of them and download their data to later publish it online. So that, next time they and any other company thinks twice before sending a Takedown notice or taking any action of any kind against the Tester

MrNervous has also stated that s/he is going to “bring them to their knees” and advised that the customers should think twice about using the site in the future, going so far to advise them about lawsuits.

Now it might just be the time, when the customers of Flight Centre Travel Group will rethink on whether they should continue to deal with this company as they do not actively monitor nor safeguard the security of their dataBase, which contains their client’s private data, contact details, and a lot.

If you are one of their Client or planning to deal with them for your travel plans, or if you even send them queries for travel plan, Please be informed that all the data you share with them will be all out there, published on the Internet. You might then want to file lawsuits against them if your confidential data is among the data which is leaked.

Flight Centre Travel Group, I will bring you on your knees! “

The breach was carried out by abusing a SQL injection vulnerability in the Parallels Plesk software that resulted in complete system database access as well as all staff authentication credentials.

On a side note, the complete range of Flight Centre websites use a common privacy policy which appears to contradict what has been leaked, as it states they strive to protect personal information and have various measurements in place to do so. Yet they have plaintext passwords for 2,798 users showing that even basic password hashing is not being performed.

Flight Centre has implemented various physical, electronic and managerial security procedures in order to protect personal information from loss and misuse, and from unauthorized access, modification, disclosure and interference.

Flight Centre regularly reviews security and encryption technologies and will strive to protect your personal information as fully as we protect our own confidential information.

Its also not the first time Flight Centre has come in the cross-hairs of hackers or the media. Earlier in February, a hacker appeared in court over accessing credit card details which resulted in $123,000 worth of fraud.

We have reached out to the staff at Flight Centre for comment, but have not received a reply yet.

Leaked Data Statistics:
  • 165 staff accounts with full login credentials such as user names, email addresses, full names, and encrypted passwords.
  • 1,712 travel club user details including names, emails, and usernames.
  • 3,615 weddingregisterforms emails, full names, locations, contact details, and wedding details.
  • 2,798 shop staff accounts with contact information such as full names and email addresses, as well as their plaintext passwords.
Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more