FlexBooker’s Latest Data Breach Could Affect 19 Million Customers

A data breach at cloud-based appointment management solution FlexBooker has exposed the personal data of millions of consumers, according to researchers from vpnMentor.

This is the second data security incident involving the company in 2022. In January, FlexBooker acknowledged that malicious actors managed to exfiltrate sensitive data of 3.7 million customers.

“It seems that FlexBooker failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser,” the researchers said. “We can’t confirm if our discovery is connected to the vulnerability responsible for the December breach, or a completely unrelated and separate issue.”

Personal data exposure

The latest data breach stems from an unsecured Amazon S3 bucket that exposed over 19 million HTML files (172 GB) in the form of automated emails sent via FlexBooker’s platform to users.

“Each email appeared to be a confirmation message for bookings made via the platform, and exposed both the FlexBooker account holder and the person(s) who made a booking,” the investigators added. “For example, a plumbing supply company was using FlexBooker to schedule consultations between employees and customers. In this instance, PII data for both people were exposed.”

The booking messages included full names, email addresses, phone numbers and appointment details accompanied by a link “with a unique code that could be used to create cancellation links, edit links, and view the appointment details that were hidden in the emails.”

What are the risks?

Despite Amazon securing the vulnerable server on Jan. 26, investigators warned that data brokers have already started selling FlexBooker information on dark web forums.

“A few days after the breach was secured, we observed hackers on the dark web once again selling private data apparently owned by Flexbooker,” the report reads. “It’s not clear if this was from the previous breach, the one our team discovered, or a mix of both.”

Criminals can use this information in targeted phishing attacks on customers to steal additional personal information, such as credit card details and login credentials to various platforms. They could also trick users into accessing a malicious link that deploys spyware or other malicious software on their device.

FlexBooker users are advised to be wary of unsolicited emails and ignore any correspondence asking them to submit sensitive personally identifiable information such as Social Security numbers and credit card numbers.

Has your information been exposed in a data breach? Find out now if your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection tool.

Our privacy-focused service scours the web for any exposure of your email addresses, breached passwords and other personal data so you can stay on top of privacy threats with real-time data breach alerts and one-click action items to help you prevent potential financial damages.