PSA: You're One of 3,756,794 People Pwned in The FlexBooker Data Breach

Related Stores

flexbooker.com

• 

  bdl on 08/01/2022 - 10:22

  +5

  Most likely because you have used it for Bunnings Click and Collect in the past…

  see: https://www.reddit.com/r/australia/comments/rx8u1m/if_youve_…

  if you have a list of email addresses and you want to check which one has been compromised, use: https://haveibeenpwned.com/

• 

  SnowDragon on 08/01/2022 - 10:27

  +2

  Most people here were more likely to be affected by the Shopback breach in 2020.

  Best thing you can do is get a password manager and use a different password for every site you have an account for. Real OGs will also buy a new SIM for every account that requires a phone number.

  • 

    Stopback on 08/01/2022 - 11:27

    +1

    And don't use real information if you need to.

    No reason to give your real age etc.

    • 

      orangetrain on 08/01/2022 - 14:30

      Good luck with that when shit hits the fan.

      "I see you're trying to cash out $2. Please provide ID." ID provided "Clearly, you're a fraud as age does not match." complains Aww, you're so much like those people in Papers Please! Denied cash out. Good luck with ACCC!"

      This happened to me in a competition though. Apparently they thought 1/1/1970 was suspicious.

  • 

    pegaxs on 08/01/2022 - 11:31

    +2

    Got a good password manager that isn't a pain in the arse to use, doesn't take a doctorate level degree to set up and operate, works across every device and doesn't cost $300/month to get all of your accounts synced up?

    All the ones I have tried have been absolutely shit or to get any more than one device or more than 2 accounts working they want an exorbitant amount of money per month.

    InB4: "hOw mUcH iS yOr pErSoNaL dAtA wUrF?". More than the $3 Shopback offered in their "oops, sorry" data breach bribe.

    • 

      SnowDragon on 08/01/2022 - 11:33

      +14

      Bitwarden. Haven't had any problems with it, it's Open Source and can be self-hosted if you don't trust anyone but yourself.

      LastPass free was good until they screwed us over and only allowed once device - that's when I jumped ship to Bitwarden.

      • 

        pegaxs on 08/01/2022 - 11:36

        Cheers. I'll give it a try. LastPass was the one that bit me on the arse and turned me salty on using password managers.

        Most of the others that I have tried were super clunky or would support Chrome but not Firefox or support Android but not iOS, or you had to open it and log in every time I wanted to use it.

        • 

          SnowDragon on 08/01/2022 - 11:47

          +3

          @pegaxs: Bitwarden "locks" the vault by default every time you close the browser which annoyed me, but you can turn it off by going Settings -> Vault Timeout -> Never.

          It still prompts me for a fingerprint when using my phone but that's easy. Otherwise it's always open on my home PC and work laptop.

      • 

        SBOB on 08/01/2022 - 12:24

        +3

        Yep, +1 bitwarden.
        Migrated from LastPass with little issue.

        20+ character unique passwords everywhere at least means it's only your personal info and credit card details being stolen from a single data breach, not necessarily these details from other sites account logins ;)

      • 

        Maglia Nera on 08/01/2022 - 12:35

        same on both counts

      • 

        ozziekhoo on 09/01/2022 - 08:02

        +1

      • 

        Jack465 on 09/01/2022 - 10:20

        +1 for Bitwarden. If you decide to go down the self hosting route, I'd recommend checking out VaultWarden. It's compatible with all BitWarden clients, but is much more light weight.

  • 

    rektrading on 09/01/2022 - 10:52

    This was a server-side hack. There is nothing users can do to protect themselves against incompetent companies.

• 

  randombrick on 08/01/2022 - 10:35

  +2

  Yep, it is the Bunnings click and collect. However, I am not sure how/why Flexbooker would have passwords or partial credit card info

  • 

    lachhelix on 08/01/2022 - 14:17

    +1

    It seems our email and order ID is stored by flex booker but doesn't seem like there is any kind of password/cc through Bunnings anyway

• 

  rektrading on 08/01/2022 - 11:16

  FlexBooker has identified the breach as originating from a compromised account within their AWS infrastructure

  Centralized data silos being hacked is no surprise.

  • 

    SBOB on 08/01/2022 - 12:23

    How would poor admin user credentials secure non centralised data stores?

    • 

      rektrading on 08/01/2022 - 12:29

      The 3,756,794 user's private keys were stored on AWS. Hack one admin key = access to all 3,756,794 private keys.

      A decentralized database doesn't have access to the user's private keys. The private keys are stored in each individual user's wallet.

      • 

        SBOB on 08/01/2022 - 12:33

        +1

        Users don't have private keys for an application such as this. It's not a public private key crypto scenario.
        It's a backend server database, storing customer credentials and order information.

        They have a hashed and salted password (hopefully) as a key to validate against those details, but it's not an encrypted private key blob.

        There are better scenarios than this for user authentication, but the fundamental data stored on the server side still needs to be computer/human readable/accessible

        • 

          rektrading on 08/01/2022 - 12:41

          @SBOB: This is why I like WEB 3.0.

          The Dapps I interact with only has access to data when I give permission and lose access as soon as the Dapp times out.

• 

  Jugganautx on 08/01/2022 - 11:44

  -5

  Imagine using the word pwned in 2022…. 2005 called.

  • 

    GrueHunter on 08/01/2022 - 13:43

    +2

    Did it call to let you know that's the last time people were doing the "[year] called" thing?

• 

  CyberMurning on 08/01/2022 - 12:19

  Hmm i have used bunning click collect last year. havepawn website doesnt list it when i check my email… OP how did you find out this?

  • 

    bongom on 08/01/2022 - 15:51

    Email from HIBP 2 days ago.

    • 

      CyberMurning on 08/01/2022 - 17:21

      i got emails from them in the past but not for this one, also checked manually on the website i dont see this breach under my email.
      but i have bunning login. well just changed the password to be safe.
      so maybe not every bunning accounts are affected

      • 

        Thrift on 09/01/2022 - 08:15

        Same here. I did a Bunnings c&c last July and received a FlexBooker email at the time. The email address is subscribed for HIBP alerts and I've received previous breach notices. No alert this time, even doing a manual check.

        Maybe the breach compromised bookings for a certain time period, or that were handled by a specific server instance, or maybe not all compromised bookings were in the traded data file.

  • 

    c64 on 08/01/2022 - 17:36

    i think haveibeenpwned will only reflect ones which have publicly been released

• 

  c64 on 08/01/2022 - 15:02

  thanks for the heads up. changed my bunnings password, email & phone

• 

  Boogerman on 09/01/2022 - 08:53

  Wow. ShopBack was breached in 2020

  • 

    CyberMurning on 09/01/2022 - 10:29

    wow. you are almost 2 years behind

    :) kidding, peace

• 

  ozbjunkie on 12/01/2022 - 17:23

  Wtf is flexbooker?

  I must live under a rock.

  • 

    SBOB on 12/01/2022 - 18:39

    Schedule booking back end company

• 

  lgacb08 on 13/01/2022 - 21:50

  Yeah, just got the email from Bunnings yesterday confirming the breach, if they could give me a $250 voucher in compensation, sigh!