Anarchist hacker exposes the TSA’s 1.5 million-name no-fly list


First reported by the Daily Dot (opens in new tab), an activist and hacker who goes by the name maia arson crimew (opens in new tab) uncovered a version of the United States government’s No-Fly List dated to 2019 on an unsecured server owned by regional US airline, CommuteAir (formerly CommutAir). The glimpse at this well-known, but not publicly available, US government registry is the latest in a cavalcade of major corporate security breaches in recent months.

Crimew, an independent hacker and researcher, discovered the list via a variant of Shodan, a cybersecurity-focused search engine that allows users to find unsecured servers on the net. Crimew found one such server owned by CommuteAir, a partner of United Airlines specializing in short-range flights. In addition to the list itself, preposterously named NoFly.csv, crimew uncovered detailed employee records for CommuteAir, as well as credentials to allow her access to “navlblue APIs for refuelling, cancelling, and updating flights, swapping out crew members, and so on.”