FlexBooker Data Leak Impacts Millions of End Customers

An online booking software provider unwittingly leaked the details of millions of customers online after misconfiguring a cloud storage solution, according to researchers.

A team at comparison site vpnMentor found the leak on January 23 and traced it back to US firm FlexBooker, which provides software that enables businesses to accept bookings on their websites.

The 172GB trove was left completely unsecured due to a misconfigured Amazon Web Services (AWS) S3 bucket. It was fixed three days later after the researchers reached out to both the vendor and AWS.

“FlexBooker’s misconfigured AWS account contained over 19 million HTML files which exposed what seemed to be automated emails sent via FlexBooker’s platform to users. This means potentially up to 19 million people were exposed, depending on how many people made multiple bookings on a website using FlexBooker,” vpnMentor explained.

“Each email appeared to be a confirmation message for bookings made via the platform and exposed both the FlexBooker account holder and the person(s) who made a booking.”

Among the data viewed by the team included full names, email addresses, phone numbers and appointment details.

Each exposed email contained a link with a unique code that could be used to create cancellation links, edit links and view appointment details, the report added. Data on some children was also exposed via a FlexBooker client which was a babysitting service.

If hackers managed to access the leaked information, they could have used it to craft follow-on phishing and identity theft attacks by posing as the businesses with which end-customers made bookings.

The discovery came just days after FlexBooker was forced to admit a December data breach that purportedly compromised nearly four million customer accounts.

“On December 23, 2021, starting at 4:05 PM EST our account on Amazon’s AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data,” it said at the time.

“As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours.”

It’s unclear whether this incident also stemmed from a misconfigured server or if the attackers compromised FlexBooker’s cloud infrastructure differently.

What’s Hot on Infosecurity Magazine?