FlexBooker, a commonly used appointment scheduling and calendar service, is apologizing to its customers after 3.7 million records appeared on a dark web hacker forum. A distributed denial of service (DDos) attack that hit the company’s Amazon AWS servers has been tied to the breach, which would be an unusual avenue of attack if the assessment is accurate.
The records that were leaked mostly contained basic contact information contained in user profiles, but it appears that partial credit card numbers were exposed for at least some of the accounts.
Did a DDoS attack provide an opening for a data breach?
A threat group calling itself “Uawrongteam” dumped the data stolen from FlexBooker to an underground forum starting on December 23. The group also dumped stolen data from two other targets around that time: the horse racing site Racing.com and the Redbourne Group’s rediCASE Case Management Software (used for social services and by health care providers).
The FlexBooker attack was by far the worst of the group, in some cases exposing partial credit card numbers and hashed passwords on a popular hacking forum. The hackers also claimed that they had access to payment forms and driver’s license photos.
FlexBooker acknowledged the data breach and sent a warning to its users about it, in which it named a DDoS attack as part of the compromise of its Amazon AWS servers. The company said that it restored a backup and was able to restore the full normal function of its site within 12 hours. There is some dispute about exactly what information was revealed to the attackers: FlexBooker said it was limited to basic contact information such as names and email addresses, but HaveIBeenPwned owner Troy Hunt said that some records contained the hashed passwords and the last three digits of credit card numbers, and the postings on the hacker forum indicated the attackers had drivers license photos and other financial documents.
DDoS attacks are generally not a component of an attempted breach, but they can be deployed as a distraction to keep security teams from noticing hackers sneaking in the back door, as Nasser Fattah, North America Steering Committee Chair for Shared Assessments, explains: “I am not familiar with the particulars of this attack, but I have seen where DDoS attacks are sometimes launched as a distraction (disrupt vital business services), while the adversary’s primary goal is to gain access and exfiltrate sensitive information. We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack. And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.”
Hacker forum posts alert FlexBooker to stolen data
FlexBooker’s response to the attack has left something to be desired. Though the company appeared to field the incoming DDoS attack without a severely long period of downtime, awareness of the roughly 10 million lines of stolen customer data did not appear to come until it was made available to the public on the hacker forum.
The company’s notice to customers also claimed that “payment data was not stolen,” but the hacker forum posts make clear that the final digits of credit card numbers were taken. While not enough to commit financial fraud, these are the sorts of scraps of information that can be combined with data from other breaches to attempt phishing, scams and account takeover attacks. The collection of this sort of information into giant searchable database files, widely available from hacker forums, has become a serious security issue as of late.
The breach also likely hit a wide variety of industries. Some of the bigger names that have posted about using FlexBooker include tax company H&R Block Canada, domain registrar and web host GoDaddy, fast food chain Chipotle, and contact lens manufacturer Krewe. These companies use FlexBooker for everything from scheduling job interviews to internal meetings. The company has an even bigger base of small business users, however, as it is one of relatively few robust scheduling software packages that is not exclusively oriented to the needs of the salon and spa industry.
Notifications also appear to have gone out not only to the companies impacted, but individuals that had scheduled appointments with a company that uses the service. This caused consternation among some internet users as they had no idea what FlexBooker was when they received the breach notification or exactly what personal data was compromised; it is quite likely that many ignored the notice believing it was some sort of scam attempt or junk mail.
The explanation of the breach cause may have also been confusing. DDoS attacks are not generally used to penetrate network security, and if included in a data breach were most likely a distraction from the actual cause. They can be used as a means of extortion, however, with attackers perpetrating a short initial DDoS attack and then coming around with demands for payment to prevent even more damaging attacks in the future.