Air France-KLM estimated > 500M travel data vulnerable via 6-char code

Researcher of the leak. I got a question from NOS to test the security of a 6-length short code link (https://www.klm.nl/s/xxxxxx) used in text messages. I've tested two ranges (FAbxxx and KLmxxx), which gave a consistent 1% hit ratio of customer data (57% Air France, 43% KLM), NOS tested a smaller size random set (and got about 0.5%), 62^6*0.01=568 million. It was probably base64url (we now know - was also used, not yet got a _ confirmation).

Original posting of Dutch article: https://news.ycombinator.com/item?id=38681302