FlexBooker apologizes for breach of 3.7 million user records, partial credit card information

January 7, 2022 TH Author

Scheduling platform FlexBooker apologized this week for a data breach that involved the sensitive information of 3.7 million users.

In a statement, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack.

They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours.

“We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”

The spokesperson said the data was “limited to names, email addresses, and phone numbers” and a website notifying customers of the breach says the same thing.

But Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”

A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.

Reporters from Bleeping Computer said the group behind the attack, Uawrongteam, leaked information from FlexBooker and two other companies on a hacking forum. They tied the breach to a DDoS attack that FlexBooker reported on December 23.

In their log of the attack, FlexBooker said the attack caused widespread outages of their core application functionality and required help from AWS to solve.

“We have been informed that this should not have been possible, but before they were able to assist technically, they had to ensure that all our security practices were correct. They have completed this step, and this has now gone to their leadership team who have approved dedicating technical resources to this immediately,” FlexBooker said of the assistance from AWS on December 24.

“We truly apologize again for the impact here. We have been on the phone with AWS support for 7 hours now, trying to push them through. A brute force attack such as this should not have been possible, so we are pushing them hard to put a network-level solution in place to ensure this is both resolved quickly and also permanently so this never happens again in the future.”

The issue was resolved about eight hours later.

Shared Assessments’ Nasser Fattah said he has seen instances where DDoS attacks are sometimes launched as a distraction to disrupt vital business services while the adversary’s primary goal is to gain access and exfiltrate sensitive information.

“We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack,” Fattah said. “And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.”