Case Study: FLEXBOOKER DataBreach
About FlexBooker :
FlexBooker is a software platform that allows businesses to manage and schedule appointments, classes, and events. It is designed to make it
easy for businesses to take online bookings, manage their schedules, and communicate with customers. Flexbooker is commonly used by
businesses in the health and wellness, fitness, and beauty industries, but any business that needs to manage appointments or events
can use it. The platform offers a variety of features, including customizable booking pages, automatic appointment reminders, and
integration with popular calendar and payment systems.
The Breach :
A massive data breach occurred at FlexBooker on December 23, 2021, and it was reported by HaveIBeenPawned on January 6, 2022.
The data was sold on a website called raidforums, a forum which was popular for buying, selling distributing, and downloading free sensitive data like customer records, proprietary source code, and personal information like credit card numbers that have gotten leaked or hacked from various companies throughout the years, but nothing to worry as the site owner of the raidforums got arrested, and the FBI took the site down.
The data leak exposed sensitive information of 3.7 million accounts, including names, addresses, phone numbers, email addresses, hashed passwords, and 19 million appointment details.
Later on January 23, 2022, The vpnMentor research team discovered the breach in FlexBooker’s data as part of a huge web mapping project. And reported to FlexBooker and AWS at the same time to speed up the process.
In the screenshots below, we can see the data that was obtained from third-party companies that were using FlexBooker to make appointments.
The above screenshot, taken from the breached S3 bucket, shows how Personally Identifiable Information data, including data for children, was exposed in the breach via a babysitting business’s website.
The following screenshot shows a booking made at a rental car company called Bunnings, which was also affected by the December 2021 breach.
How do they compromised the FlexBooker?
FlexBooker was using Amazon Web Services’ (AWS) Simple Storage Service (S3) Bucket to store its customers’ personal data and the appointment details
However, the S3 Bucket was misconfigured, meaning there were no protocols in place for accessing the data stored in it. When FlexBooker first set up their AWS account to use the S3 Bucket, they named the bucket “flexbooker,”
An S3 bucket URL takes the following format:
“http://<bucket_name>.s3.amazonaws.com/”,
which created a URL,
“http://flexbooker.s3.amazonaws.com/,”
that they could use to upload, change, and access the data. However, they failed to properly configure the access controls for the bucket, such as password protection or limiting access to specific IP addresses.
As a result, a hacker who discovered that FlexBooker was using an S3 Bucket hosted on AWS, guessed the URL of the bucket, accessed it, and got all the data that was stored on it, including personal information for clients like their name, address, phone number, password, and their appointment details.
We’ve also contacted FlexBooker asking about the data breach and they replied “We have received notification that some email addresses from our system may have been compromised back in December of 2021. If you have not signed up with FlexBooker in the past, you may have been alerted as we believe you may have made an appointment with a merchant that uses us for their online appointments, rather than having an account with FlexBooker directly. For peace of mind, the data set doesn’t include any credit card numbers or clear-text password information. No action should be necessary on your part. The message was just informational.”
Conclusion: It’s not always zero-days or advanced attacks that can lead to a massive data breach. Sometimes, it’s just a simple mistake that can have serious consequences.
