Cyber Incident Victim: FlexBooker
Date:
Dec 2021
Location:
United States of America
Summary
A U.S.-based appointment scheduling service suffered a data breach when attackers compromised its AWS cloud storage, accessing and downloading information from over 3.7 million accounts. The intrusion, attributed to the Uawrongteam group, exposed names, email addresses, phone numbers, password hashes with salts, partial credit card data, and driver's license photos, though full payment card details remained unaffected. The same threat actors simultaneously targeted an Australian racing media organization and a case management software provider, exfiltrating similar sensitive data from both entities. Stolen information from all three breaches appeared on hacker forums shortly after the incidents, with the attackers emphasizing the inclusion of personally identifiable documentation and authentication credentials in their disclosures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 23, 2021, at 4:05 PM EST, attackers compromised FlexBooker’s Amazon AWS cloud storage account, leading to unauthorized access and data exfiltration. The threat actor group Uawrongteam claimed responsibility, publishing stolen FlexBooker user databases on hacker forums alongside data allegedly stolen from Australian entities Racing.com and Redbourne Group’s rediCASE software. According to FlexBooker’s breach notification, the attackers downloaded customer information stored on AWS but did not access credit card or payment card details. Forensic analysis revealed the stolen FlexBooker data included names, email addresses, phone numbers, password salts, hashed passwords, driver’s license photos, and other identification documents. Uawrongteam advertised the database as containing 10 million lines of customer records with "juicy columns" of sensitive information, though independent verification by Have I Been Pwned confirmed 3,756,794 compromised accounts. The breach impacted a wide range of FlexBooker’s client businesses, including medical practices, legal offices, salons, and fitness centers relying on its appointment scheduling services. Attackers executed the intrusion days before Christmas 2021 and publicly released the data shortly afterward, with all three breaches attributed to Uawrongteam occurring within the same pre-holiday timeframe.
FlexBooker formally notified affected customers of the breach, advising vigilance in reviewing account statements and credit reports despite asserting no payment card data was exposed. The company referenced an unspecified distributed denial-of-service (DDoS) attack in communications, though subsequent investigations confirmed personal data theft rather than mere service disruption. Have I Been Pwned’s analysis contradicted FlexBooker’s initial claims by verifying that partial credit card information was among the compromised datasets alongside passwords and phone numbers. Parallel breaches at Racing.com—a horse racing media platform—and Redbourne Group’s health service case management software rediCASE followed identical patterns, with Uawrongteam leaking archives containing organizational data. The incident exposed systemic vulnerabilities in third-party cloud storage configurations, impacting millions globally through a single service provider’s compromised infrastructure. FlexBooker did not disclose specific containment measures but acknowledged the AWS account compromise as the intrusion vector in its mandatory breach notifications.