Urban Massage, a wellness app that connects users with professional massage therapists, reportedly left a database open to public access, potentially exposing sensitive user and employee data—including complaints alleging sexual misconduct by “dangerous” users alongside their names and other personal information.
The ElasticSearch database, which was hosted by Google and has since been taken offline, reportedly included over 309,000 user records, over 351,000 booking records, and over 2,000 therapist records. TechCrunch first reported the security vulnerability on Tuesday after security researcher Oliver Hough discovered the database on Shodan, a search engine for internet-connected devices and systems.
Personal information for both users and massage therapists was reportedly left exposed by the unsecured database, including names, emails, and phone numbers. There were no financial information or passwords exposed by the unsecured database, according to TechCrunch, which reviewed the data and verified its veracity. The publication suspects that it had been up “for at least a few weeks” before it went offline.
Perhaps the most dangerous consequence of Urban’s failure to properly secure its online database was the sensitive worker complaints reportedly included in the database. TechCrunch reports that there were thousands of complaints, in which massage therapists documented their issues with the system and their clients, and many which detailed sexual misconduct complaints against potentially predatory customers.
For example, there were complaints alleging that clients asked for “massage in genital area” and “sexual services from therapist.” Other complaints flagged clients as “dangerous” or blocked from using the service as a result of “police enquiries.” These complaints included customers’ names, addresses, and phone numbers, TechCrunch reported.
Hough confirmed to Gizmodo the numbers and claims in TechCrunch’s report.
In an email to Gizmodo, Urban Massage CEO Jack Tang denied that his company “leaked” any data and vaguely threatened legal action against Gizmodo, writing, “it is not true that Urban leaked any data (we are contacting Techcrunch to amend this statement in their article). Your statement in your article would be misleading and we would reserve our rights.”
A company statement Tang shared in his email said that Hough “had found a potential security vulnerability,” adding: “We immediately closed the potential vulnerability and have taken all appropriate action, including by notifying users and the ICO. The researcher has now confirmed to us that he did not copy or retain any data and that he did not pass anything to anyone else other than the journalist. That was the only access we are aware of.”
When Gizmodo asked Tang if he denied that Urban user data was accessible on an unsecured online database, and how he would characterize a third-party being able to access unsecured user data as, if “leak” was incorrect, he reiterated his soft legal threat, saying that he “maintain[s] the statements provided in our previous email and would reserve our rights to any damages as a result of any misleading information you publish.”
When a company exposes the personal information of their workers and clients online, it inherently comes with a number of risks for those whose personal data in inappropriately acccessible—being susceptible to fraud, hacking, doxing, and more. Risking exposure of complaints of sexual misconduct and violence is a model example of how not taking online security seriously can have serious offline consequences, potentially endangering those who spoke up about dangerous users. What’s more, it does not inspire faith in workers to report these types of issues to their company—issues that should be securely documented.