3rd Party Risk Management , Application Security , Cloud Security
Data Breach Exposes Booking Details of 19 Million CustomersMisconfigured AWS S3 Bucket Belongs to Appointment Scheduler, FlexBooker
A massive data breach has been uncovered, totaling in excess of 172 GB of data and affecting an estimated 19 million people. The victims are primarily customers of online appointment company FlexBooker, researchers say.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"The breach we discovered in January 2022 is the second FlexBooker’s Amazon Web Services (AWS) cloud infrastructure breach suffered in two months. On Dec. 23, 2021, hackers performed a successful DDOS attack on the company’s AWS servers, causing widespread outages in its network, allowing hackers to steal data from 3.7 million users, including considerable Personally Identifiable Information, IDs, hashed passwords, and partial credit card numbers," say researchers at vpnMentor.
FlexBooker is a provider of online scheduling software for websites and online businesses to accept appointments for meetings, classes and other activities - both online and in person. The software automates syncing calendars, changing or canceling appointments and processing payments.
Robert Byrne, field strategist at identity security platform One Identity, says attacks like these remind us how easy it is to misconfigure access in the cloud and the dramatic impact that can have.
"As business users engage with new technologies and new ways of working, their organizations need to put better handrails and guidance in place. The good news is that the best practices, technologies and services are readily available. For example, following the CIS benchmarks for AWS as a baseline greatly reduces the risk of this type of leak. We see organizations being successful by augmenting that baseline with governance for cloud infrastructure and continuous compliance processes," Byrne says.
A spokesperson for FlexBooker was not immediately available to comment.
Breached Second Time
In January, FlexBooker released a statement saying that files belonging to 3.7 million users had been stolen from its AWS account by hackers and distributed on the dark web.
Following that notification, the company said it had resolved all vulnerabilities in its AWS configuration.
"Our team found this additional misconfiguration during a routine scan of potential vulnerabilities across the whole internet, without prior knowledge of FlexBooker’s previous breach. Only upon further research did we learn about the first breach. The two breaches don’t appear to be connected, and this time, FlexBooker has potentially exposed even more people to fraud and online attacks. Up to 19 million, in fact," the researchers say.
They discovered the misconfigured database on Jan. 23 and contacted the vendor on Jan. 25. They say that the firm FlexBooker was using an AWS S3 bucket, which is an increasingly popular enterprise cloud storage solution.
"Users must set up their security protocols manually to protect any data stored therein. It seems that FlexBooker failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser," the researchers say. "Upon discovering the AWS account, our research team took various steps to confirm FlexBooker as the owner. Multiple files within the S3 bucket and aspects of its infrastructure directly named FlexBooker or referenced the company."
Upon confirmation that FlexBooker had been responsible for the data breach, researchers at vpnMentor contacted the company and notified them about the breach, and in reply received a template for people contacting the company regarding the original leak in December 2021.
In response to a follow-up email informing the company about the new breach, the company said it was working with Amazon on securing all of its servers. The researchers at vpnMentor contacted Amazon on the same day to speed up the process and on Jan. 26, the bucket was secured.
"A few days after the breach was secured, we observed hackers on the dark web once again selling private data apparently owned by FlexBooker. It’s not clear if this was from the previous breach, the one our team discovered, or a mix of both. However, it shows the risk for companies who don’t adequately secure their users' data and how quickly hackers can get stolen data out into the open," the researchers say.
The researchers found that the exposed files contained automated emails sent via FlexBooker’s platform to users.
"Each email appeared to be a confirmation message for bookings made via the platform, and exposed both the FlexBooker account holder and the person(s) who made a booking. For example, a plumbing supply company was using FlexBooker to schedule consultations between employees and customers. In this instance, PII data for both people were exposed. The private personal user data we viewed included full names, email addresses, phone numbers and appointment details,” the researchers say.
They also say each of the emails contained a link with a unique code that could be used to create cancellation links and edit links and view the appointment details that were hidden in the emails.
Also, the FlexBooker’s S3 bucket was live and updated with additional data at the time of discovery, which the researchers say means more people were being exposed every day, many of them probably unaffected by the previous breach in December 2021.
"Firstly, the exposed data would have been enough for skilled hackers to commit many of the most common forms of fraud against anyone using a website with FlexBooker installed, including identity theft, fraud and financial scams. However, even if the exposed data wasn’t sufficient to exploit for criminal gains, hackers could also use it to carry out complex phishing campaigns," the researchers say.
Apart from phishing attacks and scams, the researchers say that any hacker can "wreak havoc" on FlexBooker's system and its clients' businesses by canceling bookings and changing dates. Some bookings also exposed incurred cancellation fees, adding a cost to the users.