FitMetrix Leaks User Information

Posted by alphaatlas 12:04 PM (CDT)

Thursday October 11, 2018

Another day, another massive user data leak, this time from FitMetrix. The fitness company, which makes software for institutions like Crossfit and SoulCycle, reportedly hosted user data on AWS instances, but forgot to use a password to secure that data. Security researcher Bob Diachenko claims the database contained 113.5 million records, with each record containing some combination of a "user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more." The server was still open and vulnerable when Bob and TechCrunch posted their articles.

"We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed," said Jason Loomis, Mindbody's chief information security officer. "We took immediate steps to close this vulnerability," he added. "Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information," he said. Diachenko rebuffed Mindbody’s claim, saying that there was "some" health information in the data, based on his analysis of the data. TechCrunch also found several records including height, weight and shoe sizes. When asked to clarify, Mindbody spokesperson Jennifer Saxon would not comment further.