search

ramimac / aws-customer-security-incidents

A repository of breaches of AWS customers
GNU General Public License v3.0
686 stars 40 forks source link

Monitor Flexbooker breach for further details #1

Closed ramimac closed 1 year ago

ramimac commented 2 years ago

https://www.flexbooker.com/data-breach

christophetd commented 1 year ago

https://flexboooker.statuspage.io/incidents/hrwzs0n72tz6

We have been alerted through monitoring analytics that we are experiencing a massive Deep Denial of Service attack.

We truly apologize again for the impact here. We have been on the phone with AWS support for 7 hours now, trying to push them through. A brute force attack such as this should not have been possible, so we are pushing them hard to put a network-level solution in place to ensure this is both resolved quickly and also permanently so this never happens again in the future.

Also from BleepingComputer https://www.bleepingcomputer.com/news/security/flexbooker-discloses-data-breach-over-37-million-accounts-impacted/

“On December 23, 2021, starting at 4:05 PM EST our account on Amazon’s AWS servers was compromised,” reads the notification

So it's pretty confusing as they seem to say "we had a DDoS, but we got our servers compromised, and a bruteforce attack shouldn't have been possible". 🤔 any thoughts @ramimac?

ramimac commented 1 year ago

My rough take: they don't have a clue what they're doing. This is amplified by them leaking an S3 bucket just a couple months later: https://www.zdnet.com/article/amazon-steps-in-to-close-exposed-flexbooker-bucket-after-december-data-breach/

The DDOS comment was made while the incident was ongoing - and the framing feels like finger pointing at the wrong side of the shared responsibility model.

They definitely had data compromised - it was offered up for sale by Uawrongteam (based on the screenshot in various articles - likely on breached.to).

Their data-breach link is 404'ing for me, but a longer quote:

On December 23, 2021, starting at 4:05 PM EST our account on Amazon’s AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data. As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours. After working further with Amazon to understand what happened, we learned a certain set of data, including personal information of some customers was accessed and downloaded including: first and last names, email addresses, and phone numbers. The data accessed did not include credit card or other payment card numbers. Customer passwords included in the data were encrypted. The encryption key was not accessed or downloaded. We have worked with Amazon to restore the security of our account, and will continue to work with Amazon to maintain security.”

-- Again - a guess - but sounds like the "DDOS" was the attacker downloading then nuking the data, hence the need to restore from backup.