The boarding-pass hack that hit Australia’s former prime minister

Maybe don’t upload your boarding pass to Instagram.


September 21, 2020

You probably aren’t flying much right now, which might be for the best. All those boarding pass pics you’ve posted to Instagram? Turns out, hackers love them.

Since at least 2015, scammers have seized on boarding pass barcodes that travelers have posted publicly — or tossed in the trash.

And most recently, a new victim really stepped in it: former Australian Prime Minister Tony Abbott.

Vacation pics are perilous

Back in March, when Abbott posted a photo of his boarding pass from the airline Qantas, an Australian blogger named Alex decided to experiment.

When logging in, Qantas only asks for 2 pieces of info from customers: your last name and your booking reference code.

Abbott’s booking code was printed on his boarding pass. When Alex entered the code, plus “Abbott,” he was in.

At first, most of the info seemed a little drab

Alex could see Abbott’s frequent flyer number and his flight times for Qantas.

But when Alex used a Google Chrome feature called “Inspect” to look over the back-end of Qantas, he hit a goldmine.

Two things were buried in the HTML: Abbott’s personal phone number… plus his passport. Yes, the private, government-issued passport number for the former Prime Minister of Australia.

Lesson being: Never post on Instagram.

Daily briefings, straight to your inbox

Business and tech news in 5 minutes or less

Join over 1 million people who read The Hustle

Psst

How'd Bezos build a billion dollar empire?

In 1994, Jeff Bezos discovered a shocking stat: Internet usage grew 2,300% per year.

Data shows where markets are headed.

And that’s why we built Trends — to show you up-and-coming market opportunities about to explode. Interested?

Join us, it's free.

Look, you came to this site because you saw something cool. But here’s the deal. This site is actually a daily email that covers the important news in business, tech, and culture.

So, if you like what you’re reading, give the email a try.