MindBody-owned FitMetrix revealed to have exposed millions of user records

FitMetrix, the activity technology and performance tracking company owned by fitness management software company Mindbody, has exposed millions of user records because it left several of its servers without a password.

FitMetrix, which was acquired by gym and wellness scheduling service Mindbody earlier this year for US$15.3 million, builds fitness tracking software for gyms and group classes that displays heart rate and other fitness metric information for interactive workouts.

As reported by TechCrunch, a security researcher found last week that three unprotected FitMetrix servers had been leaking customer data.

At this time it is not known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two hosted on the Amazon Web Service which were not protected by a password, allowing anyone who knew where to look to access the data on millions of users.

Bob Diachenko, Hacken.io’s Director of Cyber Risk Research, found the databases containing 113.5 million records, with TechCrunch advising that it is now known how many users were directly affected.

Each record contained a user’s name, gender, email address, telphone numbers, profile photographs, primary workout location and emergency contacts although many of the records were not fully complete.

Diachenko, who wrote up his findings, contacted the company via the email address earlier this month but the company only secured the server after TechCrunch reached out.

Jason Loomis, Mindbody’s Chief Information Security Officer advised “we recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed.

“We took immediate steps to close this vulnerability.

“Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information.”

Diachenko rebuffed Mindbody’s claim, saying that there was “some” health information in the data, based on his analysis of the data.

TechCrunch also found several records including height, weight and shoe sizes.

When asked to clarify by TechCrunch, Mindbody spokesperson Jennifer Saxon would not comment further.

It’s not known how many people accessed the database, but Diachenko said that he wasn’t the first to find the exposed database.

A ransom note was buried in one of the tables by a scammer who claimed to have downloaded the database’s contents and would only restore it for bitcoin. But the scammer wasn’t so successful and failed to delete the data. Although the scammer asked for 0.1 bitcoin (US$650), teir bitcoin address received only 0.13 bitcoin at its most.

Mindbody said that it will “comply with all applicable legal obligations” in reporting the data exposure to U.S. and European authorities, but wouldn’t say if it will inform customers of the security lapse.

The company may also face action from European authorities under General Data Protection Regulation (GDPR), the new data protection regulation, which can fine a company up to four percent of its global worldwide revenue for data breaches and negligent data exposures.