The vpnMentor research team discovered a data leak from FlexBooker, a company that makes online appointment booking tools for businesses. This is its second breach in two months.
FlexBooker Data Leak
Like most data leaks of this type it was the result of a misconfigured AWS S3 bucket. The two breaches don’t appear to be connected, and the team believes up to 19 million people could be affected. The size of the leaked dataset is 172 GB containing over 19 million files. The data range is from January 2022 to the present day. The types of exposed data include, emails, personally identifiable information, URLs allowing changes to booking made via FlexBooker.
The first attack was more of a data breach. Attackers had used a successful DDoS attack on the company’s AWS servers. This caused widespread network outages, allowing them to steal data on 3.7 million users. This included personally identifiable information, IDs, hashed passwords, and partial credit card numbers. The group responsible then started selling access to the data on the dark web.
In this case, FlexBooker was using an AWS S3 bucket. S3 buckets are an increasingly popular enterprise cloud storage solution. However, users must set up their security protocols manually to protect any data stored therein.
It seems that FlexBooker failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser.
If you’re a customer of FlexBooker and are concerned about how this breach might impact you, contact the company directly to find out what steps it’s taking to protect your data.