Maia Arson Crimew’s “No Fly List” Leak refers the January 2023 leak by Maia Arson Crimew, a Swiss, LGBT+ hacker who leaked information involving terrorists to their blog maia.crimew.gay. The leak sparked mass media coverage and memes as well as online discourse focusing primarily on Twitter and TikTok
The Daily Dot published an article entitled, “U.S. Airlines accidentally exposes No Fly List’ on Unsecured Server.” It stated that maia arson Crimew, a Swiss hacker, leaked information on their website (maia.crimew.gay ), the TSA’s “No Fly List.” The list contained approximately 1.5 million names and aliases for people barred from flying due to their connections to terrorist organizations.
The Daily Dot reached maia arson crimew to ask questions. They said, among others:
Maia arson offensew was described by the Department of Justice in an unrelated Indictment as a “prolific hacker”. She said that she was using an online search engine with many unprotected servers when on January 12, she found a server maintained by an unknown airline. The highly sensitive documents were along with what she called “a pot” of additional information.
The Daily Dot reported that the server was hosted by CommuteAir. This regional airline partners with United Airlines to create United Express routes. The Daily Dot reported that it contained a redacted version of the 2019 anti-terrorism “no fly” list. The FBI found files “NoFly.csv” and “selectee.csv”, which contain more than 1.8 million entries, including the names and dates of birth for people it identifies as “known or suspected terrorists” and who are prohibited from flying “when flying within, from, and over the United States.”
Insider was able to confirm the authenticity of the files and a spokesperson for the airline said that personally identifiable information from employees was also discovered in the hack.
Erik Kane, a spokesperson from CommuteAir stated in a statement to Insider that “Based on our initial investigations, no customer data were exposed.” “CommuteAir immediately removed the affected server from its network and began an investigation to determine the extent data access. CommuteAir reported data exposure to Cybersecurity and Infrastructure Security Agency and also notified its employees.