Latest News

Back to Latest News back

 

MindBody-owned FitMetrix revealed to have exposed millions of user records

MindBody-owned FitMetrix revealed to have exposed millions of user records
October 13, 2018

FitMetrix, the activity technology and performance tracking company owned by fitness management software company Mindbody, has exposed millions of user records because it left several of its servers without a password.

FitMetrix, which was acquired by gym and wellness scheduling service Mindbody earlier this year for US$15.3 million, builds fitness tracking software for gyms and group classes that displays heart rate and other fitness metric information for interactive workouts.

As reported by TechCrunch, a security researcher found last week that three unprotected FitMetrix servers had been leaking customer data.

At this time it is not known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two hosted on the Amazon Web Service which were not protected by a password, allowing anyone who knew where to look to access the data on millions of users.

Bob Diachenko, Hacken.io’s Director of Cyber Risk Research, found the databases containing 113.5 million records, with TechCrunch advising that it is now known how many users were directly affected.

Each record contained a user’s name, gender, email address, telphone numbers, profile photographs, primary workout location and emergency contacts although many of the records were not fully complete.

Diachenko, who wrote up his findings, contacted the company via the email address earlier this month but the company only secured the server after TechCrunch reached out.

Jason Loomis, Mindbody’s Chief Information Security Officer advised “we recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed.

“We took immediate steps to close this vulnerability.

“Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information.”

Diachenko rebuffed Mindbody’s claim, saying that there was “some” health information in the data, based on his analysis of the data.

TechCrunch also found several records including height, weight and shoe sizes.

When asked to clarify by TechCrunch, Mindbody spokesperson Jennifer Saxon would not comment further.

It’s not known how many people accessed the database, but Diachenko said that he wasn’t the first to find the exposed database.

A ransom note was buried in one of the tables by a scammer who claimed to have downloaded the database’s contents and would only restore it for bitcoin. But the scammer wasn’t so successful and failed to delete the data. Although the scammer asked for 0.1 bitcoin (US$650), teir bitcoin address received only 0.13 bitcoin at its most.

Mindbody said that it will “comply with all applicable legal obligations” in reporting the data exposure to U.S. and European authorities, but wouldn’t say if it will inform customers of the security lapse.

The company may also face action from European authorities under General Data Protection Regulation (GDPR), the new data protection regulation, which can fine a company up to four percent of its global worldwide revenue for data breaches and negligent data exposures.

Related Articles

22nd May 2018 - New European data protection laws to impact Australasian businesses

4th June 2018 - Mindbody reduces losses, looks to post acquisition growth

3rd April 2017 - Google launches new booking service for fitness classes

30th March 2017 - MINDBODY adds Lymber dynamic pricing engine to its product platform

14th February 2017 - MINDBODY wins 2017 BIG Innovation Award for branded app solution

14th November 2016 - Mindbody named official business software sponsor by the IDEA Health & Fitness Association

30th April 2016 - Mindbody App wins 2016 Webby Award and Webby People’s Voice Award

8th February 2016 - FitMetrix partners with online wellness marketplace Mindbody


Asking a small favour
We hope that you value the news that we publish so while you're here can we ask for your support?

The news we publish at www.ausleisure.com.au is independent, credible (we hope) and free for you to access, with no pay walls and no annoying pop-up ads.

However, as an independent publisher, can we ask for you to support us by subscribing to the printed Australasian Leisure Management magazine - if you don't already do so.

Published bi-monthly since 1997, the printed Australasian Leisure Management differs from this website in that it publishes longer, in-depth and analytical features covering aquatics, attractions, entertainment, events, fitness, parks, recreation, sport, tourism and venues management.

Subscriptions cost just $90 a year.

Click here to subscribe.

 

supplier directory

The Complete Guide to Leisure Industry Products & Services.

See the directory see all

PathMinder

PathMinder Pty Ltd have partnered with AllUser Industries srl to bring Europe’s most advanced high security portals to the Australian and New Zealand markets. AllUser Industries started to…

read more

Access / Fitness / Recreation / Security

 
 

Enta Australasia

As of the 1st July 2018, Enta Australasia Pty Ltd/Best Union has been rebranded as VIVATICKET Pty Ltd.  Click here to view the VIVATICKET Pty Ltd listing.  19th July 2018 - ENTA…

read more

Technology / Ticketing / Venues

 
 

Perfect Gym

Perfect Gym Solutions is a software as a service (SaaS) solution purpose-built to service the fitness industry, with over 1000 clients servicing over 2 million gym members across 40 countries making…

read more

Access / Fitness / Marketing / Recreation / Technology

 
 

revolutioniseSPORT

revolutioniseSPORT is the emerging market leader in online club management in Australia. Whether it is memberships, registrations, events, online sales or governance tools - revolutioniseSPORT is the…

read more

Recreation / Sport / Technology

 
 

BODY BIKE AUSTRALIA

BODY BIKE® International is a leading manufacturer of indoor bikes with a 20-year track record of creating the best indoor bikes. Stay connected with Body Bike Australia…

read more

Fitness / Recreation / Sport / Technology / Wellness

 
 

Aflex Inflatables

Aflex Inflatables are the leaders for obstacle courses, pool toys, waterparks and land-based watersides and fitness runs. They are industry leaders offering the widest range of pool, lake and beach…

read more

Aquatics / Play / Waterparks

 
 

TICKETSERV

As of 2018, TicketServ operates as SeatGeek Asia Pacific Pty Limited, part of international ticketing platform SeatGeek. Click here to contact SeatGeek Asia Pacific via their entry in…

read more

Attractions / Entertainment / Events / Sport / Ticketing

 
 

XBODY Australia Pty Ltd

PROVEN BUSINESS CONCEPTS WITH XBODY XBody’s goal is to see you and your EMS business succeed. That is why we don’t just sell equipment, we provide know-how, expert knowledge,…

read more

Fitness / Technology / Wellness

 
 
 
 

get listed with our suppliers directory

Get your business noticed in our targeted directory. Viewed by 10,000 industry professionals per week!

list your business