Sorry, SoulCycle and CrossFit fans, your data may have been breached.
Mindbody, a popular gym and wellness scheduling service, is under fire after its fitness tracking company FitMetrix exposed millions of user records because its servers did not require passwords.
Bob Diachenko, Hacken.io’s director of cyber risk research, recently reported that three FitMetrix servers were unprotected and left customer data vulnerable. The fitness tracking service creates software for popular boutique classes like CrossFit and SoulCycle. Other clients include Lifetime Fitness, Gold’s Gym and Cyclebar.
Mindbody, an app that lets users book fitness and beauty appointments, bought FitMetrix in February for $15.3 million, according to TechCrunch.
“We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed,” said Jason Loomis, Mindbody’s chief information security officer. “We took immediate steps to close this vulnerability.”
As many as 113.5 million records were compromised, TechCrunch reported, though it’s unclear how many users were directly affected. The leak contained customers’ names, genders, email addresses, phone numbers, profile photos and more, according to the report.
FitMetrix insisted that no “login credentials, passwords, credit card information, or personal health information” was compromised, but Diachenko found “some” health information while combing through the exposed data. Meanwhile, TechCrunch also found users’ personal info like weight, height and shoe sizes.
Diachenko also reported that a scammer claimed to have downloaded the database and tried to hold it for ransom in exchange for .1 bitcoin, or about $650.
A Mindbody rep told TechCrunch it will “comply with all applicable legal obligations” to report the data breach to US and European authorities, but did not clarify whether it will tell users about the leaked information.