Urban Massage exposed a huge customer database, including sensitive comments on its creepy clients

Urban Massage, a popular massage startup that bills itself as providing “wellness that comes to you,” has leaked its entire customer database.

The London, U.K.-based startup — now known as just Urban — left its Google-hosted ElasticSearch database online without a password, allowing anyone to read hundreds of thousands of customer and staff records. Anyone who knew where to look could access, edit or delete the database.

Security researcher Oliver Hough found the database through Shodan, a search engine for exposed devices and databases, and told TechCrunch of the exposure.

It’s not known how long the database was exposed or if anyone else had accessed or obtained the database before it was pulled. It’s believed that the database was exposed for at least a few weeks.

Urban pulled the database offline after TechCrunch reached out.

Chief executive Jack Tang said in a statement: “Urban is looking into this as a matter of utmost urgency. We have informed the ICO and will take all other appropriate action, including in relation to data and communications.”

A spokesperson for the ICO, the UK’s data protection regulator, confirmed it was aware of the breach and, “will assess the information we receive against data protection laws, before deciding whether or not to investigate.”

At the time of securing the database, the company had exposed more than 309,000 user records, including names, email addresses and phone numbers. Each record also had a unique referral code, allowing friends to get discounted treatments.

We verified the data by contacting several users at random. One user, who did not want to be named, said the data exposure was a “huge violation” of her privacy.

The database also contained over 351,000 booking records, and more than 2,000 records on Urban massage therapists, including their names, email addresses and phone numbers.

That roughly amounts to similar figures reported by the company earlier this month.

Among the records included thousands of complaints from workers about their clients. The records included specific complaints — from account blocks for fraudulent behavior, abuse of the referral system and persistent cancelers. But, many records also included allegations of sexual misconduct by clients — such as asking for “massage in genital area” and requesting “sexual services from therapist.” Others were marked as “dangerous,” while others were blocked due to “police enquiries.” Each complaint included a customer’s personally identifiable information — including their name, address and postcode and phone number.

But from a cursory review of the data, the database didn’t contain financial information — such as credit cards or individual account passwords.

How the data came to be exposed remains a mystery, but the severity of the data is serious — and the repercussions could be significant. Because the company falls under the new European-wide GDPR rules, Urban may face steep financial penalties of up to four percent of its global annual revenue.

For a company that’s centered around bringing relaxation to the masses, this breach will likely cause unnecessary stress for a lot of people.