Lost and Found Software tracking site leaks over 800K records
Learn More
A significant data leak has been discovered affecting Lost and Found Software, a Germany-based company providing lost and found tracking and return services for multiple airports across the US, Canada, and Europe.
Cybersecurity researcher Jeremiah Fowler discovered and reported a non-password-protected database that contained 820,750 records totaling 122 GB of sensitive data.
The researcher identified a total of 14 databases, with 10 publicly accessible and 4 restricted. Fowler found records and images including shipping labels, screenshots, reports, and information about lost items. These range from medical devices and computers to personal electronics, wallets, bags, antiques, and various other personal belongings that travelers typically take on flights.
The leak includes high-resolution images of identification documents including:
- Passports
- Driver's licenses
- Employment documents
- Payment confirmations
- Shipping labels
- Original receipts of lost products
- Additional documents containing personally identifiable information (PII)
Such personal data can be valued at over $1,000 on the dark web and could potentially be used to commit identity fraud, open accounts in victims' names, or create counterfeit documents. The exact number of affected individuals was not disclosed.
The majority of the exposed records were contained in folders labeled "user image and item image." It's unclear whether these images were uploaded to file claims and identify ownership of lost documents, or if the documents themselves were lost and subsequently digitized by airport staff.
After receiving Fowler's responsible disclosure notice, Lost and Found Software thanked the researcher and the 14 identified databases were restricted from public access within hours of notification.
It's unclear whether the database was owned and managed directly by Lost and Found Software or by a third-party contractor. No details are available about the length of exposure before discovery and whether any unauthorized parties gained access to the data.
