Flex Booker, XSplit and others fall victim of data leaks.
02 January 2022BREACHAWARE HQ
A total of 9 breach events
were found and analysed resulting in 4,029,480 exposed accounts
containing a total of 17 different data types of personal datum
. The breaches found publicly and freely available included Flex Booker, XSplit, Beyond Unreal, Lok Sewa Guide and Arago Games. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Usage Data, Communications Data, Locational Data, Socia-Demographic Data, Social Relationships Data, Financial Data.
Data Breach Analysis
Together, the platforms form a mosaic of modern digital life, from streaming workflows to civil service test prep, highlighting how broad and pervasive personal data exposure can be in today's interconnected online environment.Sector Analysis: Who Was Affected and How?
Each platform presents unique risks and serves distinct user communities, but all have in common one core characteristic: user trust in digital systems for utility, convenience, or advancement.FlexBooker is a cloud-based scheduling and calendar tool used by professionals in industries such as fitness, wellness, legal services, and medical clinics. Breaches in platforms like FlexBooker are especially concerning because:
- Users often share personal schedules, full names, contact details, and in some cases, payment information
- Professionals may expose client data inadvertently through their own use of the system
FlexBooker has previously made headlines due to a significant breach in 2021 where attackers gained access to cloud storage containing sensitive appointment-related information. Incidents like these show how SMBs (small and medium-sized businesses) relying on SaaS platforms can become indirect victims when their providers are compromised. Customers booking appointments through such services may have no awareness that their information is being stored in centralised systems, until it’s too late.
XSplit is a well-known live streaming and video recording software suite used by content creators, gamers, online educators, and even virtual event organisers. While not a social platform in the traditional sense, XSplit users often connect accounts to other platforms (e.g., YouTube, Twitch, Discord), making their login credentials and profile data valuable for:
- Credential stuffing attacks on more prominent platforms
- Brand impersonation scams, especially targeting influencers
- Phishing campaigns masquerading as software updates or sponsorships
Content creators and streamers are highly visible, and a breach like this increases their vulnerability to impersonation, targeted scams, or credential chaining.
Beyond Unreal and Arago Games are part of the broader ecosystem of community-driven gaming content, modding, and fan engagement. These platforms often house:
- Long-standing user profiles with legacy credentials
- Forum posts, private messages, and shared assets
- Emails and IP logs from years of participation
Even though such communities may seem niche, they are frequently tied to broader gaming identities that users maintain across multiple platforms. An exposed email and username from a legacy gaming forum may unlock access to:
- Discord servers
- Online game accounts (if credentials are reused)
- Developer profiles (on GitHub, ModDB, etc.)
Furthermore, given the age of some of these communities, the breach may expose older users whose credentials haven’t been updated in years, making them low-hanging fruit for attackers.
Lok Sewa Guide serves individuals preparing for public service commission exams, which are competitive tests used in countries like Nepal and India for entry into government roles. Platforms of this nature collect data from aspirants that may include:
- Full names, education history, and contact information
- Logins tied to government application IDs or test registration platforms
- Behavioural patterns (e.g., preparation timelines, course access)
The users affected are often young professionals or students, a group typically less financially resilient and often unaware of how their data may be reused in credential-based fraud. Beyond direct risks, this breach raises questions about data governance in the education and civil service preparation sectors, which are often under-regulated.
The Risks of Diverse Yet Interconnected Breaches
While each platform in isolation may seem to present limited danger, the collective risk arises from the cross-pollination of identity across digital ecosystems. For example:- A single breached email and password combination from XSplit may lead to unauthorised access to Twitch, YouTube, or Discord.
- A real name and phone number from FlexBooker could be matched with a resume posted on LinkedIn.
- Activity on Beyond Unreal may reveal gaming preferences that are linked to Steam accounts, gaming handles, or financial transactions through game purchases.
When breaches from multiple sectors are publicly available, data aggregation and enrichment become easy for malicious actors, allowing them to construct detailed digital profiles that can be used for fraud, impersonation, or social engineering.
Patterns and Observations
Some recurring themes emerge from this particular breach set:1. Second-tier platforms remain high-risk: Platforms that serve essential niche functions (e.g., booking, community, exam prep) often lack the robust cybersecurity infrastructure of tech giants, making them ideal targets.
2. Legacy systems are still exposed: Older community platforms like Beyond Unreal may have been running on outdated backend systems, forum software, or unsecured admin panels.
3. Digital dependency drives vulnerability: Users now rely on digital platforms to manage work, learning, play, and health. Each additional service expands their digital footprint, and the attack surface.
4. Geographic diversity, same problems: Whether it’s FlexBooker in the U.S., Lok Sewa Guide in South Asia, or Arago Games in Europe, breaches are borderless. User data from emerging markets is no less valuable than data from Western economies.
Conclusion
This breach cluster affecting over 4 million accounts provides another stark reminder that every layer of digital life, from scheduling a haircut to streaming gameplay or preparing for a government job, is vulnerable to data exposure.For users, the lesson is clear: wherever possible, enable two-factor authentication, use unique passwords across platforms, and treat even “low-risk” websites as if they were potential breach points. For platform owners, the takeaway is more urgent: if your business handles user data, especially across time-sensitive services like booking or exams, your users are trusting you with not just data, but dignity and security.
The long-tail effect of these breaches may not be immediately felt, but as leaked databases are combined, resold, and mined for future attacks, the cumulative risk grows, especially for those unaware their data was ever compromised.