We’ve all been bored on the internet, right? Aimlessly or , eyes glazing over as we spend hours doing the online equivalent of re-checking an empty fridge. But some people, it seems, use their boredom-induced internet browsing for more than just re-reading . Some use it to shine a light on the American surveillance state.

At least, that’s what Swiss hacker does. Through her hacking endeavors, she’s gotten her paws on all sorts of auto-adjacent information — everything from to . But her latest get may be her biggest yet: . Holy fucking bingle indeed.

For a hack of this scale, was relatively simple. She began with a site called Zoomeye — an international version of the search engine Shodan, which indexes internet-connected devices (like servers and routers) that have ports open for access from the broader web. In particular, crimew was looking for servers running , software that automates some of the more tedious tasks of developing and testing new code. You see, when automating processes, lazier developers will often leave default credentials in place — credentials that hackers like crimew can use to gain unauthorized access.

Upon finding a server full of vaguely aeronautical-sounding words, crimew’s curiosity was piqued. So, like a of old discovering a new BBS, she started poking around its files and folders. Quickly, she stumbled upon all manner of sensitive information: crew manifests, communications between planes and ground crews, and some projects that made reference to something called “nofly” — as well as a link where the software looked for that list.

And, clicking through that link, she found it: A spreadsheet with 1.5 million rows of data, each one a person (or alias, or suspected alias) deemed unworthy to fly by the FBI. Its contents are unsurprising — a list primarily comprised of “” names, picked out by .

With each hack and data leak, crimew has pointed out how our personal information is rarely as secure as we think. Whether it’s Nissan sales data or actual, live surveillance footage, private companies often make our info far more broadly accessible than we expect through their poor security. Now, it seems, we have proof of government agencies doing the same.