Earlier this month, a Swiss hacker who goes by the name maia arson crimew exfiltrated a copy the US government’s No Fly List from an insecure server. This list, which names individuals who are forbidden from flying anywhere within US borders, is a subset of the Terrorist Screening Database and is kept hidden from the public. However, this list is now publicly available after an unknown actor posted the version accessed by crimew to BreachForums.

Crimew originally came into possession of this list when browsing the Jenkins servers on ZoomEye, which, similar to Shodan, lets users search for servers connected to the internet. The hacker happened to come across a Jenkins server operated by the airline CommuteAir. After digging through this server for a time, crimew discovered credentials for the company’s Amazon Web Services (AWS) infrastructure. The hacker then used the credentials to connect to this infrastructure, which crimew found to contain a 2019 copy of the No Fly List, as well as a “selectee” list. This second list likely names all those who are subject to Secondary Security Screening Selection (SSSS).

In a blog post published by crimew, the hacker acknowledges that these lists are sensitive in nature before stating, “[I] believe it is in the public interest for this list to be made available to journalists and human rights organizations.” Crimew accordingly made the lists available for access upon request, requiring that applicants be journalists, researchers, or other parties with legitimate interest. The service hosting the lists, Distributed Denial of Secrets, further states that requests will probably be rejected if interested individuals don’t provide sufficient information to verify their identities and if said individuals are “hacktivist[s] that want to exploit the data” or “researcher[s] without a clear journalist or academic project.”

Despite the apparent limitations on who can access this information, someone managed to obtain a copy of the lists and posted them for free on BreachForums. According to BleepingComputer, the No Fly List contains 1,566,062 entries and the…