FlexBooker apologized for the breach, which includes partial credit card information.
A hacking group is now selling a database of information stolen from FlexBooker, a provider of appointment scheduling software. The company data was compromised just prior to Christmas. FlexBooker then notified customers via email that its Amazon AWS servers were compromised on December 23, 2021. It also admitted that its system data storage was accessed and downloaded.
According to the Have I Been Pwned data breach notification service, the FlexBooker attack compromised data 3,756,794 accounts consisting of email addresses, names, partial credit card data, passwords, and phone numbers.
BleepingComputer says a group called Uawrongteam took credit for the attack and shared links to archives with the stolen data, which the group claimed also include users’ drivers’ licenses, other IDs, password salt and hashed passwords.
FlexBooker said the attack caused widespread outages of their core application functionality and required help from AWS to solve.
“We have been informed that this should not have been possible, but before they were able to assist technically, they had to ensure that all our security practices were correct. They have completed this step, and this has now gone to their leadership team who have approved dedicating technical resources to this immediately,” FlexBooker said of the assistance from AWS on December 24.
“We truly apologize again for the impact here. We have been on the phone with AWS support for 7 hours now, trying to push them through. A brute force attack such as this should not have been possible, so we are pushing them hard to put a network-level solution in place to ensure this is both resolved quickly and also permanently so this never happens again in the future.”
In Flexbooker’s email to users, it said the infiltrators failed to get “any credit card or other payment card information.” At this point it’s unclear if partial, rather than full, credit card numbers were part of the cache of stolen data.
The TASBIA™ Bottom Line
Flexbooker is positioned as a solution that enables businesses to manage appointments, facilities, classes and service delivery for their customers. FlexBooker’s solution has a small business focus that includes lawyers, dentists, gyms, mechanics, salons, trainers, and therapists.
This type of breach is rare in the appointment scheduling industry, but it highlights the risks of businesses that allow a third party to maintain sensitive customer data.
Flexbooker states on its website that “all our servers are housed by a third party hosting company that is SSAE-SOC II certified and is located in a physically secure location.” This presumably means AWS, however, ultimately Flexbooker is responsible for their software and the security of their solution.
Sources for this story: