Over 3.7 million Accounts Compromised in FlexBooker Data Breach

An attack on multiple companies over the holidays led to the accounts of more than 3 million FlexBooker users being stolen and sold on hacker forums.

The data breaches took place just a few days before Christmas, and the attackers posted the harvested data on forums shortly after.

The attack also apparently affected Australian companies Racing.com, a racing media organization, and rediCASE, a case management software firm. The perpetrators also traded databases they claimed belonged to these two other companies on the hacking forums.

FlexBooker’s database was part of the latest data dump related to this multi-pronged attack. FlexBooker is an appointment scheduling tool that lets users perform employee calendar synchronization.

The service is popular among businesses with tight schedules, including accountants, doctors, barbers, lawyers, mechanics, gyms, salons, personal trainers, therapists and dentists.

A group called Uawrongteam claimed the attack, and shared URLs to the data dump comprising sensitive data, such as driver’s licenses, ID cards, and photos. The leaked database presumably encompasses 10 million lines of customer data in table form, such as charges, payment forms, and pictures of driver’s licenses.

The table also appears to house critical private data, such as names, emails, hashed passwords, password salt, and phone numbers.

In response to the data breach, FlexBooker has sent a notification to its customers highlighting that the attackers compromised its account on Amazon’s AWS servers.

The notification also mentioned that the perpetrators “accessed and downloaded” the service’s system data storage but didn’t manage to access “any credit card or other payment card information.”

On the other hand, FlexBooker advised its customers to check their account statements and credit reports for any sign of suspicious or fraudulent activity.

A copy of the data dump reached the Have I Been Pwned service, which confirmed that it includes names, email addresses, phone numbers, and partial credit card information for some accounts. Some 69% of these data bits were already in the HIBP database.

The FlexBooker incident is the second major data dump indexed by HIBP, merely a week after the DataPiff breach, which saw the service adding 7.5 million usernames and passwords to its database.