FitMetrix, a fitness technology and performance tracking company owned by MINDBODY, has suffered a data breach that could impact 113.5 million users. The company, which builds fitness tracking software for gyms and group classes, was acquired by gym and wellness scheduling service MINDBODY earlier this year for $15.3 million.
Bob Diachenko, Hacken’s director of cyber risk research, revealed the breach was caused by several servers that were left without a password. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more.
Diachenko added that one of the databases even contained a ransom demand note. "It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database and then creating the ransom note," he wrote.
While Diachenko contacted the company via email address a week ago to notify them of the issue, the company only secured the server after being contacted by another publication.
“We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed,” said Jason Loomis, MINDBODY’s chief information security officer. “We took immediate steps to close this vulnerability. Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by MINDBODY in February 2018, and did not include any login credentials, passwords, credit card information or personal health information."
However, Diachenko said there was “some” health information in the data, and publication also found several records that included height, weight and shoe sizes of users. MINDBODY spokesperson Jennifer Saxon would not elaborate on the incident any further, but the company said it will “comply with all applicable legal obligations” in reporting the data exposure to U.S. and European authorities. However, it wouldn’t comment on whether or not it will inform customers of the security lapse.