{"id":645686,"date":"2026-05-06T13:01:41","date_gmt":"2026-05-06T11:01:41","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=645686"},"modified":"2026-05-06T13:07:18","modified_gmt":"2026-05-06T11:07:18","slug":"flysafair-leaked-peoples-private-information-during-r12-ticket-birthday-sale","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/645686-flysafair-leaked-peoples-private-information-during-r12-ticket-birthday-sale.html","title":{"rendered":"FlySafair leaked people&#8217;s private information during R12 ticket birthday sale"},"content":{"rendered":"\n<p>Popular low-cost South African airline FlySafair leaked the private information of users participating in its highly anticipated R12-a-ticket birthday sale on Wednesday.<\/p>\n\n\n\n<p>MyBroadband was informed that the sale site\u2019s bulletin chat API could easily be accessed and that it was providing details of users participating in the sale, including names and email addresses.<\/p>\n\n\n\n<p>We immediately notified FlySafair representatives, who told us the airline\u2019s staff were actively working to take down the chat\u2019s API.<\/p>\n\n\n\n<p>Since the official start of the sale at 9:00 on Wednesday until the moment we were first informed that the chat bulletin board was taken offline, user data was accessible for 1 hour and 39 minutes.<\/p>\n\n\n\n<p>During that time, the API showed the full names, email addresses and IP addresses of anyone who posted messages to it. The API also indicated whether a poster was a winner.<\/p>\n\n\n\n<p>The API through which the information was leaked was part of a new feature that was added to the portal for this year\u2019s sale. Previously, the site pulled a live feed from Twitter\/X.<\/p>\n\n\n\n<p>\u201cWe wanted something a bit more controlled and engaging this time around,\u201d said Kirby Gordon, FlySafair spokesperson and chief marketing officer.<\/p>\n\n\n\n<p>FlySafair confirmed that it had removed the chat board at 11:20 and that the API data had been cleared, including the email and IP addresses.<\/p>\n\n\n\n<p>Gordon indicated that the sale was not affected by the removal of the chat feature and that every other part of the process remained \u201cstatus quo\u201d.<\/p>\n\n\n\n<p>\u201cIt\u2019s something we\u2019ll be reviewing with our technology partners as an urgent priority because what happened is entirely unacceptable,\u201d he told MyBroadband.<\/p>\n\n\n\n<p>\u201cA full post-mortem process will follow once the live operational environment has quietened, with a clear focus on understanding exactly where the failures occurred.\u201d<\/p>\n\n\n\n<p>The airline will also identify actions required to prevent a repeat of the issue, but Gordon said the immediate priority was supporting customers and ensuring the sale continues to operate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Oil prices cast cloud over highly anticipated sale<\/h2>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/mybroadband.co.za\\\/news\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/FlySafair-Leaks-4.jpg&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-large&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-645699&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1600,&quot;targetHeight&quot;:900,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-large wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"675\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-Leaks-4-1200x675.jpg\" alt=\"\" class=\"wp-image-645699\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-Leaks-4-1200x675.jpg 1200w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-Leaks-4-600x338.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-Leaks-4-768x432.jpg 768w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-Leaks-4-1536x864.jpg 1536w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-Leaks-4.jpg 1600w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><figcaption class=\"wp-element-caption\">Sample of the chat API that leaked user information. Private user information has been removed. <\/figcaption><\/figure>\n\n\n\n<p>While the API was accessible, users could see their position in the waiting queue for entry in the R12 ticket competition.<\/p>\n\n\n\n<p>We saw that more than 594,000 people were in the queue around 10:30, with likely thousands more taking part throughout the sale.<\/p>\n\n\n\n<p>The usual excitement over the sale was subdued this year, as many South Africans who hoped to purchase tickets posted their disappointment on social media about prices exceeding R12.<\/p>\n\n\n\n<p>This year, the airline said it was forced to add surcharges and taxes to the R12 ticket prices, driven by the international fuel crisis and jet fuel costs in South Africa.<\/p>\n\n\n\n<p>\u201cAs a result, the fares this year are not R12 all-in as they were previously, but rather R12 excluding taxes and surcharges,\u201d explained Gordon.<\/p>\n\n\n\n<p>\u201cIt\u2019s still an exceptionally strong deal, but we\u2019re no longer in a position where we can effectively subsidise the taxes and fuel-related components of the ticket as well.\u201d<\/p>\n\n\n\n<p>According to a full breakdown of ticket prices, although the base ticket price is R12, taxes and surcharges can push prices over R1,183.<\/p>\n\n\n\n<p>This can double if return tickets are also purchased, with one user posting online that their full ticket price went up to R3,647.32 for flights to and from Cape Town and Johannesburg.<\/p>\n\n\n\n<p>In April, FlySafair explained that it adjusted the surcharge on tickets weekly to reflect fluctuations in fuel prices. It recently decreased the additional costs for two weeks in a row.<\/p>\n\n\n\n<p>\u201cThe surcharge is not a revenue mechanism, it moves directly with our actual fuel costs,\u201d said Gordon.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Screenshot of FlySafair chat board API leak<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><a  data-lightbox=\"post-image\" href=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-leaks-1.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"497\" height=\"366\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/FlySafair-leaks-1.jpg\" alt=\"\" class=\"wp-image-645718\" style=\"object-fit:cover\"\/><\/a><figcaption class=\"wp-element-caption\">User information accessible through the chat API. Screenshot from <a href=\"https:\/\/x.com\/lethiakx\/status\/2051932541687349457\/photo\/1\" target=\"_blank\" rel=\"noopener\">@lethiakx on X\/Twitter<\/a>.<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>FlySafair accidentally leaked the private information of contestants, including email addresses, who took part in its popular R12 a ticket sale. <\/p>\n","protected":false},"author":341213,"featured_media":645701,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[14673,105038,32430,105033,69655,60031,405],"class_list":["post-645686","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-api","tag-email-leak","tag-flysafair","tag-flysafair-birthday-sale","tag-kirby-gordon","tag-leaks","tag-twitter"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/645686"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=645686"}],"version-history":[{"count":8,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/645686\/revisions"}],"predecessor-version":[{"id":645723,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/645686\/revisions\/645723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/645701"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=645686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=645686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=645686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}