FlexBooker says sorry for a data breach that exposed 3.7 million user details as well as partial credit card details

FlexBooker, a scheduling software, apologized this week for a data breach that exposed 3.7 million customers’ personal information.

The firm said in a statement that a piece of its customer database had been exposed when its AWS servers were hacked on December 23. As part of the assault, FlexBooker stated their “system data storage was also accessed and downloaded.”

They went on to say that they worked with Amazon to restore a backup and were able to get operations back up and running in roughly 12 hours.

“We notified all impacted parties and worked with our hosting provider, Amazon Web Services, to guarantee that our accounts were re-secured,” a spokeswoman said. “We sincerely regret any trouble caused by this problem.”

The data was “limited to names, email addresses, and phone numbers,” according to a spokesman, and a webpage informing consumers of the breach said the same thing.

However, Troy Hunt, the founder of the Have I Been Pwned site, which analyses data breaches, claimed the stolen material contained password hashes and partial credit card information for certain accounts. The information “was discovered being actively sold on a famous hacker forum,” according to Hunt.

A FlexBooker spokeswoman corroborated Hunt’s claim, telling ZDNet that the breach only revealed the last three digits of card numbers, not the whole card number, expiry date, or CVV.

According to Bleeping Computer, the attackers, Uawrongteam, posted information from FlexBooker and two other firms on a hacker forum. They linked the hack to a DDoS assault reported by FlexBooker on December 23.

According to FlexBooker’s attack report, the assault resulted in widespread failures of their key application functionality, which needed assistance from AWS to resolve.

“We were told that this shouldn’t have been possible, but before they could help us technically, they needed to make sure that all of our security procedures were in order. They’ve finished this phase, and their senior team has authorised allocating technical resources to this project right away “On December 24, FlexBooker expressed his gratitude for AWS’ support.

“We sincerely sorry for the inconvenience this has caused. We’ve been on the phone with AWS support for the last seven hours, attempting to get them approved. A brute force assault like this should not have been conceivable, therefore we’re putting pressure on them to provide a network-level solution to guarantee that this is fixed promptly and permanently so that it never occurs again.”

After nearly eight hours, the problem was fixed.

‘Common Assessments’ DDoS assaults, according to Nasser Fattah, are sometimes initiated as a diversionary tactic to impair critical business services while the adversary’s main purpose is to obtain access to and exfiltrate important data.

“We realise there are financial consequences connected with system breakdowns, which is why when there is a DDoS assault, security professionals have all eyes on glass,” Fattah added. “And when that occurs, it’s critical to be ready for the prospect of a multidimensional assault and to keep a close eye on other network irregularities.”