Mindbody-owned performance tracking company FitMetrix exposed millions of user records due to two unprotected servers.
The leak became evident after cybersecurity group Hacken.io discovered three databases not protected by passwords containing 113.5 million FitMetrix records on Oct. 5, according to TechCrunch.
Though not all of those records contain user data, many included information such as names, emails, birthdays, phone numbers and emergency contacts as well as height, weight and even shoe size, according to a Hacken.io blog post explaining the security breach.
In an email statement on Thursday, Mindbody’s chief Information security officer, Jason Loomis, said the San Luis Obispo health and wellness company was aware of the risk and took “immediate steps to close this vulnerability.”
Loomis said the data included a subset of consumers managed by FitMetrix, but did not include any log-in credentials, passwords, credit card information or personal health information.
TechCrunch and Hacken.io, however, said examination of the databases showed some health information was compromised.
“Mindbody takes the privacy and security of our customer and consumer data seriously, and we will leverage this incident to continuously improve our security posture,” Loomis wrote.
Requests for further comment from Mindbody on the number of users impacted and whether those users had been notified of the breach were not immediately returned Thursday morning.
It’s unknown for how long the servers were at risk. TechCrunch reported that the records were indexed by a search engine for open databases in September.
Bob Diachenko, director of cyber risk research at Hacken.io, said in his blog post that the files were labeled “compromised” by the search engine — meaning the database contained a file with a ransom demand note asking for popular cryptocurrency Bitcoin. (Attackers will sometimes copy and delete databases before leaving behind a ransom note asking for money to restore the files.)
In this case, the database was unsuccessfully deleted, and the data was still available.
Upon discovering the breach, Diachenko said, he sent emails to FitMetrix and Mindbody to alert them to the exposed database. Mindbody responded and the database was secured on Oct. 10.
Mindbody acquired Atlanta-based FitMetrix in February for $15.34 million, according to a filing with the Securities and Exchange Commission.
The smaller company provides digital performance tracking for boutique fitness studios, gyms and health clubs to help them track, rank, display and instantly reward clients based on their real-time exercise results.