"FlexBooker Data Leak Impacts Millions of End Customers"

An online booking software provider unwittingly leaked the details of millions of customers online after misconfiguring a cloud storage solution, according to researchers at vpnMentor.  The researchers found the leak on January 23 and traced it back to US firm FlexBooker, which provides software that enables businesses to accept bookings on their websites.  The 172GB trove was left completely unsecured due to a misconfigured Amazon Web Services (AWS) S3 bucket.  The researchers stated that the bucket was fixed three days after reaching out to both the vendor and AWS.  The researchers said that FlexBooker’s misconfigured AWS account contained over 19 million HTML files which exposed what seemed to be automated emails sent via FlexBooker’s platform to users.  The researchers noted that this means potentially up to 19 million people were exposed, depending on how many people made multiple bookings on a website using FlexBooker.  Each email appeared to be a confirmation message for bookings made via the platform and exposed both the FlexBooker account holder and the person(s) who made a booking.  Among the data viewed by the team included full names, email addresses, phone numbers, and appointment details.  Each exposed email contained a link with a unique code that could be used to create cancellation links, edit links, and view appointment details.  Data on some children were also exposed via a FlexBooker client, which was a babysitting service.  The researchers stated that if hackers managed to access the leaked information, they could have used it to craft phishing and identity theft attacks by posing as the businesses with which end-customers made bookings.  The discovery by the researchers came just days after FlexBooker was forced to admit a December data breach that purportedly compromised nearly four million customer accounts.

Infosecurity reports: "FlexBooker Data Leak Impacts Millions of End Customers"