MindBody Exposes Data Belonging to Millions of FitMetrix Users

Photo: AP

The fitness company behind FitMetrix, a popular performance-tracking app, reportedly left the personal data of more than 100 million users exposed.

Three servers belonging to Mindbody were discovered by security researcher Bob Diachenko, Hacker.io’s director of cyber risk research, containing the names, email addresses, phone numbers, workout locations, and other personal contact information of FitMetrix users, Tech Crunch reported on Thursday.


In a statement to the site, Jason Loomis, Mindbody’s chief information officer, said the company acted quickly to secure the “vulnerability,” which Diachenko describes as more of a failure to set up a password to view the data. The company stressed the exposure did not include login credentials or financial or or personal health data.

The servers, which may have been accessible since September, were finally secured on Thursday.

There are also signs the data may have been stolen or at lease accessed without permission before. Diachenko reported finding note among the exposed files that appears part of a botched ransomware attack.

“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko writes. “This script sometimes fails and the data is still available to the user even though a ransom note is created.”


Share This Story

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD