FlexBooker Data Breach Exposes 3.75 Million Accounts

Woman holding mobile phone to book appointment

When it comes to appointment scheduling and booking software, FlexBooker is in a league of its own. The cloud-based solution allows businesses to easily accept, wait-list, and confirm online bookings and sync employee calendars. Unfortunately, the fast-growing company suffered a major setback in December following a data breach that exposed 3.75 Million user accounts.

What Is Flexbooker?

James and Andrew Ford founded FlexBooker in 2014. They wanted to bring an easy-to-use, yet sophisticated and powerful appointment management solution to small and large businesses. With no technical expertise required, users can, for example, receive and manage online appointments, right from their own website. Furthermore, most calendar software is compatible with FlexBooker.

The company is growing rapidly. According to FlexBooker, they already helped “thousands of business locations and millions of their customers.” FlexBooker is also becoming a strong competitor for Square Appointments, a similar solution offered by financial services and digital payments company, Square, which recently bought Australian fintech AfterPay for $29 billion.

The Fords are no strangers to building cloud-based solutions. In 2009 they built a SaaS-based restaurant table management, reservation, and waitlist platform called Save My Table. After selling Save My Table to Scripps Networks Interactive in 2011, they integrated the web-based restaurant table management solution into CityEats.com.

What Happened?

A few days before Christmas, an unknown perpetrator managed to gain access to an account within FlexBooker’s Amazon Web Services infrastructure (AWS). Early January, Have I Been Pwnd (HIBP) found out that the data was being actively traded on a popular hacking forum. A white-hat hacker flagged the issue, who requested that the discovery be attributed to “[email protected]

In total, the intruder compromised 3,756,794 accounts. The compromised data included email addresses, names, phone numbers, and, for some accounts, password hashes and partial credit card data. 69% of the stolen data is already available in HIBP’s database.

Apparently, the same gang is also offering databases from two other organizations on the dark web, both based in Australia: thoroughbred racing media company Racing.com and client and case management software company rediCASE.

What Happens Now?

FlexBooker notified users of the data security incident, adding that the hacker did not access credit card or other payment card information. They did, however, warn users to stay vigilant and to monitor their accounts for any suspicious or fraudulent activity. A separate report on a massive DDoS attack that occurred on 24 December is now resolved.

A range of professionals now use FlexBooker. From accountants, barbers, doctors, dentists, and lawyers, to mechanics, gyms, beauty salons, therapists, trainers, and others. Global companies like Chipotle, Krewe, Bausch + Lomb, and GoDaddy also use the tool. Some major DIY and hardware stores even offer click and collect pickups using FlexBooker.

However, customers of these businesses, who simply used the software to book an appointment, for example, did not receive a notification. They will need to check for themselves if their data was part of the FlexBooker breach by seeing if their email is listed on Have I Been Pwnd.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using VPNOverview.com's dedicated VPN testing protocol that has been finetuned and optimized over the years.