MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords

FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password.

The company builds fitness tracking software for gyms and group classes that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing.

Last week, a security researcher found three FitMetrix unprotected servers leaking customer data.

It isn’t known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.

Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records — though it’s not known how many users were directly affected. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

The storage server, hosted in an Amazon S3 bucket, stored user profile pictures, but remained open at the time of writing. For that reason, we’re not linking to it.

Diachenko, who wrote up his findings, contacted the company via the email address a week ago but the company only secure the server after TechCrunch reached out.

“We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed,” said Jason Loomis, Mindbody’s chief information security officer. “We took immediate steps to close this vulnerability,” he added. “Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information,” he said.

Diachenko rebuffed Mindbody’s claim, saying that there was “some” health information in the data, based on his analysis of the data. TechCrunch also found several records including height, weight and shoe sizes.

When asked to clarify, Mindbody spokesperson Jennifer Saxon would not comment further.

It’s not known how many people accessed the database, but Diachenko said that he wasn’t the first to find the exposed database.

A ransom note was buried in one of the tables by a scammer who claimed to have downloaded the database’s contents and would only restore it for bitcoin. But the scammer wasn’t so successful and failed to delete the data. Although the scammer asked for 0.1 bitcoin — some $650 at today’s rate — their bitcoin address received only 0.13 bitcoin at its most.

Mindbody said that it will “comply with all applicable legal obligations” in reporting the data exposure to U.S. and European authorities, but wouldn’t say if it will inform customers of the security lapse.

The company may also face action from European authorities under GDPR, the new data protection regulation, which can fine a company up to four percent of its global worldwide revenue for data breaches and negligent data exposures.