Mindbody’s FitMetrix leaked millions of Users’ Personal Details

FitMetrix the performance tracking company owned by Mindbody- exposed millions of user data due to two unprotected servers.

According to TechCrunch, Cybersecurity group Hacken.io discovered the leak when they found three databases not protected by passwords contained 113.5 million FitMetrix records on Oct. 5.

According to a Hacken.io blog post explaining the security breach, it reads that many included information like names, emails, birthdays, phone numbers and emergency contacts as well as height, weight and even shoe size,

Mindbody’s chief Information security officer, Jason Loomis, in an email statement on Thursday, said the San Luis Obispo health and wellness company was aware of the risk and took “immediate steps to close this vulnerability.”

Loomis said the data included a subset of consumers managed by FitMetrix, but did not include any log-in credentials, passwords, credit card information or personal health information.

Examination of the databases showed some health information was compromised, said TechCrunch and Hacken.io.

“Mindbody takes the privacy and security of our customer and consumer data seriously, and we will leverage this incident to continuously improve our security posture,” Loomis wrote.

It was not known if Mindbody has notified the users about the breach. It was not confirmed till Thursday morning.

TechCrunch reported that it’s unknown for how long the servers were at risk. The records were indexed by a search engine for open databases in September.

Bob Diachenko, director of cyber risk research at Hacken.io, said in his blog post that the files were labeled “compromised” by the search engine — meaning the database contained a file with a ransom demand note asking for popular cryptocurrency Bitcoin. (Attackers will sometimes copy and delete databases before leaving behind a ransom note asking for money to restore the files.)

In this case, the database was unsuccessfully deleted, and the data was still available.

Upon discovering the breach, Diachenko said, he sent emails to FitMetrix and Mindbody to alert them to the exposed database. Mindbody responded and the database was secured on Oct. 10.