Initial Assessment of the Alleged United Airlines SMS Data Leak
Recently, a post surfaced on a Russian hacker platform, accompanied by related Telegram channel activity, suggesting an alleged data leak involving United Airlines (“FlyUnited”). The claim indicated the exposure of approximately 272 million records, supported by screenshots and downloadable samples of SMS messages.
Alleged United Airlines data leak post in a hacker forum
A flight detail referenced in the SMS samples, specifically United Airlines flight UA32 from Los Angeles (LAX) to Tokyo Narita (NRT), were verified using publicly available tracking data. According to FlightAware, UA32 departed at 10:45 AM PDT on May 23, 2025, and arrived at 2:00 PM JST on May 24, 2025. This aligns with the timing and route data found in the leaked messages.
Flight details (FlightAware)
URLs found in the samples, pointing to gofly.united.com, were also confirmed to resolve to legitimate United Airlines service pages, commonly used for check-ins, boarding pass access, and baggage tracking.
The SMS samples primarily targeted Chinese mobile numbers (+86), which, while region-specific, is plausible considering United Airlines’ global service coverage. A critical anomaly was the persistent presence of the term ‘FakeDLR’ (Fake Delivery Report) within all message logs. This marker is typically associated with internal test environments or simulated traffic, raising the likelihood that the content does not originate from real customer activity.
However, it’s also possible that the presence of delivery reports, even labeled as ‘FakeDLR’, could be a standard part of logging systems used to simulate or track whether messages are successfully processed, without necessarily indicating malicious intent.
Sample data shared by the threat actor
The Telegram channel and forum screenshots indicated attempts to distribute or market this supposed leak, with mentions of sales for “premium real-time phone numbers.” These files appeared hosted on an obscure file-sharing platform typically associated with unofficial or unauthorized data distribution.
Telegram channel of the threat actor
Based on the current evidence, the SMS data appears accurate in terms of flight details. However, the prominent presence of test-related markers (‘FakeDLR’) implies that these are likely not customer messages but internal test data potentially leaked or misrepresented externally or entirely fabricated claims.
Prior Unvalidated Claims of the Threat Actor
This is not the first instance where the threat actor in question, using the alias “Machine1337,” has made controversial claims. A recent incident involved the actor alleging a breach of Steam (Valve), where data including SMS metadata and old two-factor authentication codes was reportedly leaked.
In that case, the actor referenced Twilio services. However, both Valve and Twilio denied being the source of any breach. Valve confirmed that the SMS data was legitimate in terms of message content but clarified that their own systems were not compromised. Instead, they cited the unencrypted nature of SMS messages in transit and the involvement of multiple third-party providers as contributing factors. Twilio also denied ever providing services to Valve in that context.
Valve’s statement emphasized that the leaked messages were historical, contained no account credentials, and could not compromise customer accounts. They recommended standard security hygiene and reiterated that customers do not need to reset passwords or change phone numbers. More information and Valve’s response can be found via XDA Developers.
In Conclusion
This background provides useful context when assessing the credibility of the United Airlines claim. While the flight and URL data seem authentic, the use of FakeDLRs and the history of exaggerated or misleading claims from the same actor suggest a need for caution before treating this as an actual breach of customer data.

