It’s become a travel ritual. You get to the airport, grab your boarding pass, and snap a photo for Instagram. “Next stop: Bali! ✈️🌴” Maybe you’re thoughtful about it — you scribble over your name with a finger, or crop the photo to hide the personal details.

But you leave the barcode visible. Of course you do. It’s just a bunch of lines and squares. What could anyone possibly do with that?

Oh, quite a lot, actually.

Your barcode is your boarding pass

That barcode (or QR code — same problem) isn’t decoration. It’s the entire contents of your boarding pass encoded in a format that any free scanning app can decode in about two seconds.

Here’s what’s in there, according to the IATA Bar Coded Boarding Pass (BCBP) standard:

Your full name
Flight number, date, and route
Booking reference (PNR)
Seat assignment and class of service
Frequent flyer number
Ticket number
Check-in sequence number
Document type and verification data

The booking reference alone is the golden key. With your name and PNR, anyone can log into the airline’s “Manage My Booking” page and see — or change — everything about your reservation.

What someone can do with your barcode

Security researcher Brian Krebs demonstrated this back in 2015, and it’s only gotten easier since:

View your full booking — including passport details, contact information, and travel companions
Change your seat assignment — annoying, but just the start
Alter your contact details — redirect booking confirmations to a different email
Access your frequent flyer account — drain your miles, change your password
Cancel your flight — yes, really
Book new flights on your frequent flyer account

According to McAfee, only 13% of young adults who share boarding passes on social media realize the potential security risks. The other 87% are basically posting their apartment key on Instagram and captioning it “Home sweet home! 🏠🔑."

"But I edited out my name!”

Great. The barcode still has it. Along with everything else.

People do this all the time: they’ll carefully blur their name, cover their seat number, maybe even black out the flight number. Then they leave a crystal-clear, high-resolution barcode in the frame. It’s like redacting a letter but leaving the envelope open.

Even a slightly blurry barcode can often be decoded. Krebs on Security noted that modern barcode scanners can handle remarkable amounts of distortion. If a human eye can tell it’s a barcode, a decoder can probably read it.

The QR code on your phone is just as risky

Think mobile boarding passes are safer because they’re digital? The QR code on your phone contains the same BCBP data as the printed barcode. A screenshot posted to your Instagram story is just as exploitable as a photo of a paper boarding pass.

And screenshots have a fun bonus: they’re high-resolution, perfectly flat, and have no glare. A scanner’s dream.

What to do instead

Look, I get it. You’re excited about your trip. You want to share the moment. Here are some options that don’t involve broadcasting your booking reference to the internet:

If you must post a boarding pass photo:

Cover the barcode entirely. Not partially. Not “mostly.” Entirely. Use a solid sticker, a finger, or a crop that removes it completely.
Cover the booking reference (PNR) — that 6-character alphanumeric code is your other golden key.
Cover your frequent flyer number — if visible.

Better alternatives:

Take a photo of the departure board (no personal data)
Snap a picture of your gate view
Photograph your airport coffee (we all know you’re going to anyway)
Post from the plane window after takeoff

After your trip:

Don’t throw boarding passes in public trash bins. Shred them, or at least tear through the barcode.
Delete boarding pass screenshots from your camera roll.

It’s not just boarding passes

This is part of a bigger pattern: we share images of documents online without realizing how much data is embedded in them — visibly or in metadata.

Boarding passes have barcodes. Passport photos have MRZ zones. ID cards have national ID numbers. Event tickets have QR codes linked to your payment details. Every one of these is a document with machine-readable data that’s trivial to extract.

The rule is simple: if a document has a barcode, QR code, or machine-readable zone, cover it completely before sharing it publicly. No exceptions, no “it’s probably fine,” no “who would even bother.”

Someone would bother. For $10 worth of airline miles or the fun of canceling a stranger’s flight, someone absolutely would.

Enjoy your trip. Post the sunset, not the boarding pass.

That Boarding Pass Selfie on Instagram? You Just Shared More Than Your Vacation Plans.