The fitness company behind FitMetrix, a popular performance-tracking app, reportedly left the personal data of more than 100 million users exposed.
Three servers belonging to Mindbody were discovered by security researcher Bob Diachenko, Hacker.io’s director of cyber risk research, containing the names, email addresses, phone numbers, workout locations, and other personal contact information of FitMetrix users, Tech Crunch reported on Thursday.
In a statement to the site, Jason Loomis, Mindbody’s chief information officer, said the company acted quickly to secure the “vulnerability,” which Diachenko describes as more of a failure to set up a password to view the data. The company stressed the exposure did not include login credentials or financial or or personal health data.
The servers, which may have been accessible since September, were finally secured on Thursday.
There are also signs the data may have been stolen or at lease accessed without permission before. Diachenko reported finding note among the exposed files that appears part of a botched ransomware attack.
“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko writes. “This script sometimes fails and the data is still available to the user even though a ransom note is created.”