If we post photos of our boarding passes or plane tickets on social media, a stranger could cancel our flight. This is what happened in 2025 to a woman who had booked a flight to Singapore and shown the ticket on TikTok: an unknown person used the woman’s surname and the alphanumeric code on the ticket to cancel her reservation.
Former Australian Prime Minister Tony Abbott also encountered a similar incident in 2020: after sharing a photo of his boarding pass on Instagram, a hacker managed to discover his phone number and passport data in just 45 minutes. Fortunately he had no criminal intent and contacted the Australian authorities and the Prime Minister’s staff directly to report the problem.
This happens because there is sensitive information on the boarding passes that allows you to easily modify a booking, canceling it, rescheduling it or intervening on the return flight, but also accessing further personal data. Posting our boarding pass on social media makes us potential targets of scams and cybersecurity attacks.
Let’s see what information is contained in the boarding passes, what can be extrapolated from the codes present and how to protect yourself.
What information is contained on the boarding passes
On the boarding pass, that paper or digital document that allows us to board planes, the name and surname of the traveler, any middle names, the airline, the flight number, the departure and arrival times, the assigned seat, the ticket code and the PNR (Passenger Name Record), i.e. the six-character alphanumeric code that uniquely identifies the booking, are indicated.
Having access to the passenger’s PNR and surname, information also present on the tickets, it is often possible to enter the airline portals and modify or cancel the booking… But not only that! In some cases, you can view your personal contact details (phone number, email address, and sometimes your home address), loyalty program details, any hotel or rental car reservations related to your trip, and sometimes even your date of birth and passport information.
All this information can be exploited for different types of scams. One of the most common exploits social engineering, a technique that uses psychology to manipulate people into disclosing sensitive information. For example, someone in possession of all the booking details can pretend to be the airline and contact the passenger via phone or email asking for credit card details to “confirm” the return flight.
Precisely for this reason it is extremely important to cover the writing on the tickets. But even if we remember to cover everything by inserting, for example, the ticket or boarding pass in the passport and showing only the details, we could still make the same information public if we don’t cover the barcodes (or QR codes, in the case of electronic tickets).
What are the codes on boarding passes?
Barcodes and QR codes on boarding passes follow a standard called BCBP (Bar-Coded Boarding Pass), introduced by IATA (International Air Transport Association) and used by more than 200 airlines. This standard defines the format of the codes, guarantees that they can be read and processed at any airport and allows the required information to be encoded. PDF417 barcodes, Aztec code, Data Matrix and QR code can be used.
PDF417 is a high-density barcode, composed of multiple stacked lines. Precisely for this reason, it can contain a large amount of data and is the most used format for paper boarding passes.
Then there is the Aztec Code, visually very similar to a QR code, but with a series of squares in the center that recall the tip of an Aztec pyramid. Like the QR code, it can also be read on low resolution screens or if partially damaged; this is why it is very common in digital boarding passes displayed on smartphones.
Data Matrix and QR codes still exist, less widespread but still used by some airlines.
Regardless of the format, all these codes contain the same information, enclosed in a string of text and numbers that follows specific rules. Inside are encoded the passenger’s name and surname, the PNR, flight times, the airline… in short, all the information printed on the boarding pass and even something more.
These codes are designed to be easily and universally read at airports, thus speeding up the boarding process. Precisely this ease of reading, however, makes them vulnerable: anyone can decode them using free software, even starting from a screenshot.
How to defend yourself and what security measures to take
The most effective security measure remains the simplest: avoid posting photos of your boarding pass online. If you decide to do so anyway, it is important to cover all sensitive information, including barcodes and QR codes.
Another way to reduce risk is to not lose, forget or throw away your boarding pass or paper ticket at airports or on planes, where it could be retrieved by other people. In fact, even after use, the ticket can be used to extract sensitive information.
A further precaution to avoid scams and theft is to share photos of the trip only after returning. Posting a picture of a plane ticket online signals that you are away from home for a period of time and can increase your exposure to scams or theft.
