Names, phone numbers and email addresses have been exposed via a third-party website.
Bunnings customers who used its Drive & Collect service have been told their private information may have been leaked in a data breach affecting a third-party software platform.
Scheduling service FlexBooker announced late last week that sensitive information belonging to 3.7 million users had been exposed after their servers were “compromised” on December 23.
Names, email addresses, phone numbers, password hashes and partial credit card numbers for some accounts were included in data shared on a popular hacking forum, Australian security expert Troy Hunt told ZDNet.
Sign up to WebCam, Cam’s fortnightly newsletter for FREE.
Bunnings uses FlexBooker as part of their Drive & Collect service, the chain store’s contactless collection service launched during the pandemic. One customer showed Crikey an email from Hunt’s Have I Been Pwned service warning them that their email had been included in the data trove shared online.
Bunnings’ chief information officer Leah Balter confirmed that customers’ data could be included in the leak.
She said this leak would only include customers’ full name and email address as Bunnings does not collect credit card numbers, phone numbers or passwords when using FlexBooker.
“As soon as we were made aware of the breach, we reached out to customers whose data may have been accessed,” Balter said.
“We’re continuing to work with the third-party provider to further understand the details of how this breach occurred, and the processes being put in place to correct it.”
According to online publication Bleeping Computer, a group calling themselves Uawrongteam has claimed responsibility for the breach. It also says it has access to databases from racing media website Racing.com and Redbourne Group’s rediCASE software, both based in Australia, but the legitimacy of those breaches has not been confirmed.
FlexBooker told users that the breach happened during a distributed denial-of-service attack that resulted in a 12-hour service outage. They said they were able to recover from a backup with the assistance of Amazon, who hosts FlexBookers service on its servers.
Customers who have used Bunnings’ Drive & Collect service can use the Have I Been Pwned website to see if their email or phone number is contained in the breach.