Booking management platform FlexBooker leaks 3.7 million user records
FlexBooker, a company that provides a cloud-based online scheduling and booking service, has exposed the personal details of more than 3.7 million users.
The incident took place in December 2021 after a threat actor compromised one of the company's Amazon Web Services (AWS) accounts, according to Australian security researcher Troy Hunt.
The threat actor used the account to collect 9.5 million records from the company's AWS infrastructure, data that was eventually leaked online on a forum dedicated to trading hacked data.
Hunt, who operates Have I Been Pwned, a service that indexes hacked data, said that he received a copy of the stolen files, which turned out to contain information on more than 3.7 million unique users.
According to Hunt, this data contained real names, email addresses, phone numbers, and for a small number of accounts, password hashes and partial credit card information.
These users are most likely unaware that their data was leaked online. Affected users are persons who made online reservations on the websites of doctors, accountants, barbers, mechanics, and others, all of whom used FlexBooker's services to manage online bookings.
Hunt's Have I Been Pwned service is currently sending emails with a notification about the exposure to all those who had an email address included in the leak.
A FlexBooker spokesperson did not return a request for comment.
This is the second major breach that Hunt has added to his Have I Been Pwned service this week after the Aussie researcher also indexed 7.5 million user records that leaked from music mixtape service DatPiff. The DatPiff data also leaked last month, on the same forum as the FlexBooker breach.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.