Report: FlexBooker Suffers Another Data Breach Exposing Millions of Bookings
Led by Noam Rotem, vpnMentor’s research team discovered a data breach originating from a cloud server belonging to the online appointment company FlexBooker.
FlexBooker sells online appointment booking tools that businesses can embed in their websites.
This breach is the second time in two months that the company has been mentioned for exposing user data. Earlier in January 2022, they released a statement that personal files belonging to 3.7 million users had been stolen from its AWS account by hackers and distributed on the dark web. While the company claimed it had resolved all vulnerabilities in its AWS configuration, that may not have been the case.
Our team found this additional misconfiguration during a routine scan of potential vulnerabilities across the whole internet, without prior knowledge of FlexBooker’s previous breach. Only upon further research did we learn about the first breach.
The two breaches don’t appear to be connected, and this time, FlexBooker has potentially exposed even more people to fraud, online attacks, and much more. Up to 19 million, in fact.
Data Breach Summary
|Headquarters||Columbus, Ohio, USA|
|Industry||SAAS; Online bookings|
|Size of data in gigabytes||172GB|
|Suspected no. of files||19m+|
|No. of people exposed||Up to 19m|
|Date range/timeline||Mid January 2020 – Pres.|
|Types of data exposed||Emails; PII data; URLs allowing changes to bookings made via FlexBooker|
|Potential impact||Fraud; Identity theft; Phishing|
|Data storage format||Misconfigured AWS S3 bucket|
FlexBooker provides online scheduling software for websites and online businesses to accept appointments for meetings, classes, and much more — both online and in person.
The software offers to automate the entire process for all involved, including syncing calendars, changing or canceling appointments, and processing payments.
The breach we discovered in January 2022 is the second FlexBooker’s Amazon Web Services (AWS) cloud infrastructure that suffered in two months. As has been previously reported, on December 23, 2021, hackers purportedly performed a successful DDoS attack on the company’s AWS servers. This caused widespread outages in its network, and allowed them to steal data from 3.7 million users, including considerable Personally Identifiable Information (PII) data, IDs, hashed passwords, and partial credit card numbers.
The group responsible then started selling access to the data on the dark web. Independent cybersecurity researchers verified that the stolen data archives were available for sale there.
FlexBooker released a statement detailing the nature of the attack and what had been stolen, claiming the issue had been resolved with direct help from AWS.
We can’t confirm if our discovery is connected to the vulnerability responsible for the December breach or if it's a completely unrelated and separate issue.
Timeline of Discovery and Owner Reaction
- Date discovered: January 23, 2022
- Date vendors contacted: January 25, 2022
- Date Amazon Contacted: January 25, 2022
- Date of Response: January 25, 2022 (automatic response about the breach)
- Date of Action: January 26, 2022, following our reach out to Amazon
Sometimes, the extent of a data breach and the data’s owner are obvious, and the issue is quickly resolved. But rare are these times. We often need days of investigation before we understand what’s at stake or who’s exposing the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, FlexBooker was using an AWS S3 bucket. S3 buckets are an increasingly popular enterprise cloud storage solution. However, users must set up their security protocols manually to protect any data stored therein.
It seems that FlexBooker failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser.
Upon discovering the AWS account, our research team took various steps to confirm FlexBooker as the owner. Multiple files within the S3 bucket and aspects of its infrastructure directly named FlexBooker or referenced the company.
Once we confirmed that FlexBooker was responsible for the data breach, we contacted the company to notify them of the breach and offered our assistance.
We received what seemed to be a template reply for people reaching out regarding the original leak in December 2021. So, we sent another email informing them of a new breach.
As FlexBooker stated they were working together with Amazon on securing all their servers, we decided to reach out to Amazon on the same day to speed up the process. On the 26th (the day after), the bucket was secured. We never received a reply from FlexBooker’s team.
A few days after the breach was secured, we observed hackers on the dark web once again selling private data apparently owned by FlexBooker. It’s not clear if this was from the previous breach, the one our team discovered, or a mix of both. However, it shows the risk for companies who don’t adequately secure their users’ data and how quickly hackers can get stolen data out into the open.
Examples of Entries in the S3 Bucket
FlexBooker’s misconfigured AWS account contained over 19 million HTML files which exposed what seemed to be automated emails sent via FlexBooker’s platform to users. This means potentially up to 19 million people were exposed, depending on how many people made multiple bookings on a website using FlexBooker.
Each email appeared to be a confirmation message for bookings made via the platform and exposed both the FlexBooker account holder and the person(s) who made a booking.
For example, a plumbing supply company was using FlexBooker to schedule consultations between employees and customers. In this instance, PII data for both people were exposed.
The private personal user data we viewed included:
- Full names
- Email addresses
- Phone numbers
- Appointment details
Furthermore, every email also contained a link with a unique code that could be used to create cancellation links, edit links, and view the appointment details that were hidden in the emails.
FlexBooker’s S3 bucket was live at the time of discovery and constantly updated with additional data. This means more people were being exposed every day, many of them probably unaffected by the previous breach in December 2021.
The screenshots below show a confirmation email on which it was potentially possible to change someone’s appointment for a COVID-19 test (which we didn’t try for ethical reasons). Had bad actors gained access to such permissions without anyone’s knowledge, they could have wreaked havoc on people’s lives and the US’s broader fight against the pandemic.
In another instance, it was possible to change a booking for euthanizing a pet, including a huge amount of sensitive data about both the person and their pet, which could inflict considerable emotional pain on the person making the appointment.
The next screenshot taken from the breached bucket demonstrates how PII data, including children's data, were exposed in the breach via a babysitting business’s website.
The following screenshot shows a booking made at a rental car company called Bunnings, which was also affected by the December 2021 breach.
Data Breach Impact
For FlexBooker Users
Had malicious or criminal hackers discovered FlexBooker's AWS account before it was secured, they could have used the exposed data in a wide range of schemes.
Firstly, the exposed data would have been enough for skilled hackers to commit many of the most common forms of fraud against anyone using a website with FlexBooker installed, including:
- Identity theft
- Financial scams, and more
However, even if the exposed data wasn’t sufficient to exploit for criminal gains, hackers could also use it to carry out complex phishing campaigns.
In a phishing campaign, criminals send victims fake emails and text messages imitating businesses. With the information exposed in this breach, they could easily build the victim’s trust by posing as businesses using FlexBooker email templates and visuals, and tricking them into any of the following actions:
- To provide additional PII data (i.e., social security numbers) or private information (i.e., bank account details) that can be used in the fraudulent activities listed above.
- To input debit or credit card details into a fake appointment portal so they can be scraped and used by criminals or sold on the dark web.
- To click a link embedded with malicious software that infects a user’s device, such as malware, spyware, and ransomware.
Aside from the risks outlined above, hackers could also just choose to wreak havoc on FlexBooker’s system and its clients’ businesses by canceling bookings, changing dates, and much more. Some bookings exposed incurred cancellation fees, adding a cost to the users.
Hackers would not have any obvious financial gain from such actions. They could simply decide to engage in such malicious activities for fun. However, various groups on the dark web offer numerous paid services that can be best summed up as “We’ll ruin someone’s life or business for you.” Part of such a “service” could include changing and canceling a person’s (or business's) appointments via FlexBooker.
Due to the number of people exposed in this data breach, cybercriminals would only need to successfully scam a small fraction for any criminal scheme to be considered successful.
Aside from the risks outlined above, businesses using FlexBooker may lose customers if their bookings are disrupted or manipulated in any way, due to lack of trust, without those businesses even being responsible.
While FlexBooker wouldn't be at risk of hacking due to this breach, it could negatively impact the company in many ways.
Two massive data breaches in two months, exposing millions of users, will have significant consequences for the company. Worse still, the files exposed in this breach would have allowed hackers to cancel or change bookings, charge users cancellation fees, and much more. Not only would fixing these issues take a huge amount of time, but affected users would also most likely stop using FlexBooker’s tools as a result.
If users abandon FlexBooker en masse, it may never recover that lost revenue. Potential users will undoubtedly consider alternatives based on the number of stories about breaches and hacks at FlexBooker.
Furthermore, two such errors affecting user privacy could attract the regulator's attention — especially since FlexBooker assured its users and the public that it took care of the vulnerabilities in its AWS security.
Advice from the Experts
FlexBooker could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to:
- Securing its data stores.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.
Securing an Open S3 Bucket
It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of FlexBooker, the quickest way to fix this error would be to:
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
For FlexBooker Users
If you’re a customer of FlexBooker and are concerned about how this breach might impact you, contact the company directly to find out what steps it's taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in FlexBooker’s data as part of a huge web mapping project. Our researchers use large-scale web scanners to search for unsecured data stores containing information that shouldn’t be exposed. They then examine each data store for any data being leaked.
Our team was able to access this S3 bucket because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the data, usually a commercial business.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to FlexBooker, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. FlexBooker users must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
We normally have no evidence — and no way of knowing — whether the data in our reports have been accessed or leaked by anyone else. Only the data's owner can know that. However, in this case, after we discovered FlexBooker's breach and reported it to the company, mentions of private data stolen from FlexBooker appeared on the dark web again.
This data could have originated from the December breach or the one we discovered, but for ethical reasons, we didn't engage with the hackers involved to find out.
We do our best to prevent this from happening by reaching out to the companies and ensuring they secure their leaking database as soon as possible.
We never sell, store, or expose any information we encounter during our security research.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.
This has included an enormous data breach by a Ghanaian government agency that exposed 100,000s of the country’s citizens. We also revealed that an Australian marketing company was harvesting and exposing data collected from 100,000s of people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
Introducing The Leak Box
The Leak Box is hosted on the Dark Web and allows ethical hackers to anonymously report any data breach they find online. Alternatively, anyone can submit a breach to vpnMentor, any time, from anywhere, without compromising your privacy.