Bunnings has alerted its New Zealand and Australian customers about a security breach to the system it uses to organise click-and-collect bookings.
But the hardware giant says no credit card or password details have been spilled - although the full extent of the incident is still not clear.
On January 7, FlexBooker - the supplier of the cloud-based booking system used by Bunnings and many other retailers worldwide - revealed a group of hackers stole data on December 21. The cyber-heist saw details from some 3.7 million accounts compromised.
Bunnings said in its January 12 alert to customers registered for its click-and-collect system:
"We wanted to let you know that we have recently been made aware of a data security breach experienced by our third-party booking provider, Flexbooker, which may have included the name and email address you provided when selecting a timeslot for a previous Bunnings Drive & Collect order.
"Please be assured that passwords, credit card information and mobile numbers are not collected when using Flexbooker to make a booking with us, and we are confident that none of these categories of customer data have been compromised.
"We are currently working with Flexbooker to further understand how the breach occurred in their systems and the extent of the impact."
FlexBooker released a notice soon after, admitting that its cloud systems were targeted, according to a report by InfoSecurity Magazine.
"On December 23, 2021, starting at 4:05 PM EST our account on Amazon's AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data," it said.
"As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours."
It's unclear how the attackers were able to compromise the FlexBooker account and whether human error such as cloud misconfiguration had anything to do with it.
According to FlexBooker, the stolen information included customers' full names, email addresses and phone numbers. It claimed that no payment card details were compromised, although according to HaveIBeenPwned, "partial credit card data" was taken.
Customer passwords were encrypted, and the encryption key was not accessed or downloaded, FlexBooker added.