According to security researchers at vpnMentor, the digital scheduling platform FlexBooker has been suspected of exposing the personal data of millions of consumers. According to researchers, the Ohio-based IT firm was storing data in an AWS S3 bucket but had no security safeguards, leaving the contents completely exposed and easily available to anybody with a web browser.
Full names, email addresses, phone numbers, and appointment information were among the 19 million data revealed. FlexBooker did not reply to demands for comment, but vpnMentor claimed the firm and Amazon were alerted about the problem.
FlexBooker apologized in January for a data breach that exposed the personal information of 3.7 million members. The firm disclosed at the time that its customer database’s part had been exposed when its AWS servers were hacked on December 23. FlexBooker stated their “system data storage was also accessed and downloaded” as part of the attack.
They went on to say that they worked with Amazon to restore a backup and were able to get operations back up and running in roughly 12 hours. When vpnMentor researchers scanned the internet for possible vulnerabilities in December, they were unaware of the data leak. vpnMentor confirmed the newest problem on January 23 and notified FlexBooker on January 25. Amazon was told the same day, and the problem was fixed by January 26.
The releases are concerning because they featured links with unique codes that could be used to create cancellation links, change links, and examine appointment data previously hidden in the emails. When vpnMentor found it, the S3 bucket was also online, which meant it was continually updated with new information, exposing several people each day. vpnMentor shared screenshots of the appointments, which comprised anything from COVID-19 exams to pet euthanasias and childcare. The babysitter emails also revealed children’s personal information.
According to Troy Hunt, an Australian security researcher who runs the Have I Been Pwned site that analyzes data breaches, the initial tranche of stolen data contained password hashes and partial credit card information for certain accounts. Hunt further said that the data “was found being actively traded on a popular hacking forum.”
The Hunt’s report was confirmed by a FlexBooker spokesperson revealing that the last three digits of card numbers were included in the hack, but not the complete card information, expiration date, or CVV.