A screenshot of the Bunnings Warehouse drive & collect website
A screenshot of the Bunnings Warehouse Drive & Collect webpage (Image: Supplied)

Bunnings customers who used its Drive & Collect service have been told their private information may have been leaked in a data breach affecting a third-party software platform.

Scheduling service FlexBooker announced late last week that sensitive information belonging to 3.7 million users had been exposed after its servers were “compromised” on December 23

https://twitter.com/DavieDavieDave/status/1478873758995824641

Names, email addresses, phone numbers, password hashes and partial credit card numbers for some accounts were included in data shared on a popular hacking forum, Australian security expert Troy Hunt told ZDNet.

Bunnings uses FlexBooker as part of its Drive & Collect service, the chain store’s contactless collection service launched during the pandemic. One customer showed Crikey an email from Hunt’s Have I Been Pwned service warning them that their email had been included in the data trove shared online. 

Bunnings’ chief information officer, Leah Balter, confirmed that customers’ data could be included in the leak. 

She said the leak would only include customers’ full name and email address as Bunnings does not collect credit card numbers, phone numbers or passwords when using FlexBooker.

“As soon as we were made aware of the breach, we reached out to customers whose data may have been accessed,” Balter said.

“We’re continuing to work with the third-party provider to further understand the details of how this breach occurred, and the processes being put in place to correct it.”

According to online publication Bleeping Computer, a group calling itself Uawrongteam has claimed responsibility for the breach. It also says it has access to databases from racing media website Racing.com and Redbourne Group’s rediCASE software, both based in Australia, but the legitimacy of those breaches has not been confirmed.

FlexBooker told users that the breach happened during a distributed denial-of-service attack that resulted in a 12-hour service outage. It said it was able to recover from a backup with the assistance of Amazon, which hosts FlexBookers service on its servers. 

Customers who have used Bunnings’ Drive & Collect service can use the Have I Been Pwned website to see if their email or phone number is contained in the breach.