Latest News

Back to Latest News back

 

MindBody-owned FitMetrix revealed to have exposed millions of user records

MindBody-owned FitMetrix revealed to have exposed millions of user records
October 13, 2018

FitMetrix, the activity technology and performance tracking company owned by fitness management software company Mindbody, has exposed millions of user records because it left several of its servers without a password.

FitMetrix, which was acquired by gym and wellness scheduling service Mindbody earlier this year for US$15.3 million, builds fitness tracking software for gyms and group classes that displays heart rate and other fitness metric information for interactive workouts.

As reported by TechCrunch, a security researcher found last week that three unprotected FitMetrix servers had been leaking customer data.

At this time it is not known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two hosted on the Amazon Web Service which were not protected by a password, allowing anyone who knew where to look to access the data on millions of users.

Bob Diachenko, Hacken.io’s Director of Cyber Risk Research, found the databases containing 113.5 million records, with TechCrunch advising that it is now known how many users were directly affected.

Each record contained a user’s name, gender, email address, telphone numbers, profile photographs, primary workout location and emergency contacts although many of the records were not fully complete.

Diachenko, who wrote up his findings, contacted the company via the email address earlier this month but the company only secured the server after TechCrunch reached out.

Jason Loomis, Mindbody’s Chief Information Security Officer advised “we recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed.

“We took immediate steps to close this vulnerability.

“Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information.”

Diachenko rebuffed Mindbody’s claim, saying that there was “some” health information in the data, based on his analysis of the data.

TechCrunch also found several records including height, weight and shoe sizes.

When asked to clarify by TechCrunch, Mindbody spokesperson Jennifer Saxon would not comment further.

It’s not known how many people accessed the database, but Diachenko said that he wasn’t the first to find the exposed database.

A ransom note was buried in one of the tables by a scammer who claimed to have downloaded the database’s contents and would only restore it for bitcoin. But the scammer wasn’t so successful and failed to delete the data. Although the scammer asked for 0.1 bitcoin (US$650), teir bitcoin address received only 0.13 bitcoin at its most.

Mindbody said that it will “comply with all applicable legal obligations” in reporting the data exposure to U.S. and European authorities, but wouldn’t say if it will inform customers of the security lapse.

The company may also face action from European authorities under General Data Protection Regulation (GDPR), the new data protection regulation, which can fine a company up to four percent of its global worldwide revenue for data breaches and negligent data exposures.

Related Articles

22nd May 2018 - New European data protection laws to impact Australasian businesses

4th June 2018 - Mindbody reduces losses, looks to post acquisition growth

3rd April 2017 - Google launches new booking service for fitness classes

30th March 2017 - MINDBODY adds Lymber dynamic pricing engine to its product platform

14th February 2017 - MINDBODY wins 2017 BIG Innovation Award for branded app solution

14th November 2016 - Mindbody named official business software sponsor by the IDEA Health & Fitness Association

30th April 2016 - Mindbody App wins 2016 Webby Award and Webby People’s Voice Award

8th February 2016 - FitMetrix partners with online wellness marketplace Mindbody


Asking a small favour
We hope that you value the news that we publish so while you're here can we ask for your support?

The news we publish at www.ausleisure.com.au is independent, credible (we hope) and free for you to access, with no pay walls and no annoying pop-up ads.

However, as an independent publisher, can we ask for you to support us by subscribing to the printed Australasian Leisure Management magazine - if you don't already do so.

Published bi-monthly since 1997, the printed Australasian Leisure Management differs from this website in that it publishes longer, in-depth and analytical features covering aquatics, attractions, entertainment, events, fitness, parks, recreation, sport, tourism and venues management.

Subscriptions cost just $90 a year.

Click here to subscribe.

 

supplier directory

The Complete Guide to Leisure Industry Products & Services.

See the directory see all

PRIAVA

About Priava's Technology -  Priava is a cloud-based and centralised venue and event management system aimed at venues of all sizes. With its familiar and easy-to-use web interface, the…

read more

Attractions / Billing / Entertainment / Events / Technology

 
 

GLADSTONE MRM

Gladstone Health & Leisure (Gladstone MRM Pty Ltd Australia) is a leading supplier of leisure management and fitness software and is endorsed by leading health and fitness professionals and…

read more

Access / Billing / Fitness / Technology / Venues

 
 

The Jump Pad

The Jump Pad is a safe, flat inflatable made in a variety of sizes which can be used indoor or outdoor. From 3mx3m up to a whopping 9mx21m. Markets include Indoor and outdoor playgrounds, schools,…

read more

Attractions / Entertainment / Play

 
 

GEOFF NINNES FONG AND PARTNERS

Geoff Ninnes Fong & Partners (GNFP) is a structural, aquatic and civil engineering consultancy with broad experience in the design of new municipal and institutional swimming pools, hydrotherapy…

read more

Aquatics / Consultants / Design / Venues

 
 

Anti Wave International

Anti Wave International is the original suppliers of top performance swim, aquatic sports, leisure and pool programming equipment. Founded in 1971, Anti Wave International is proud of its…

read more

Aquatics / Play / Sport

 
 
 

Sportybots

We are the leading providers of kids fun multi-sports programs for Sport and Recreation Centres. Programs cover twelve common sports as well as Gross Motor Skill Development and suit children from as…

read more

Fitness / Play / Recreation / Sport / Wellness

 
 

Aussie Strength

We are Aussie Strength. The ultimate supplier for Commercial Gym Equipment that's built to deliver in the toughest environments. From USA-Built hardcore weight training equipment from Arsenal…

read more

Fitness / Technology / Wellness

 
 
 
 

get listed with our suppliers directory

Get your business noticed in our targeted directory. Viewed by 10,000 industry professionals per week!

list your business