Technology

Mindbody acquisition leaked millions of files of customers’ personal info

Mindbody CEO Rick Stollmeyer on leadership: ‘You have to know yourself’

MindBody CEO and co-founder Rick Stollmeyer told winners of The Tribune's 2017 Top 20 Under 40 awards on Jan. 25, 2018, that the first step to becoming a conscious leader is knowing yourself. "What do you stand for?" he asked. "...What do you want
Up Next
MindBody CEO and co-founder Rick Stollmeyer told winners of The Tribune's 2017 Top 20 Under 40 awards on Jan. 25, 2018, that the first step to becoming a conscious leader is knowing yourself. "What do you stand for?" he asked. "...What do you want

Mindbody-owned performance tracking company FitMetrix exposed millions of user records due to two unprotected servers.

The leak became evident after cybersecurity group Hacken.io discovered three databases not protected by passwords containing 113.5 million FitMetrix records on Oct. 5, according to TechCrunch.

Though not all of those records contain user data, many included information such as names, emails, birthdays, phone numbers and emergency contacts as well as height, weight and even shoe size, according to a Hacken.io blog post explaining the security breach.

In an email statement on Thursday, Mindbody’s chief Information security officer, Jason Loomis, said the San Luis Obispo health and wellness company was aware of the risk and took “immediate steps to close this vulnerability.”

Loomis said the data included a subset of consumers managed by FitMetrix, but did not include any log-in credentials, passwords, credit card information or personal health information.

TechCrunch and Hacken.io, however, said examination of the databases showed some health information was compromised.

“Mindbody takes the privacy and security of our customer and consumer data seriously, and we will leverage this incident to continuously improve our security posture,” Loomis wrote.

Requests for further comment from Mindbody on the number of users impacted and whether those users had been notified of the breach were not immediately returned Thursday morning.

Taking care of business

Want the best and latest in local business news? From jobs to wineries to restaurants to clothing, we’ve got the SLO County business scene covered.

If you're a business junkie, help support what we do. Subscribe today with our 99-cent offer to ensure we can provide strong local journalism for many years to come. #ReadLocal

It’s unknown for how long the servers were at risk. TechCrunch reported that the records were indexed by a search engine for open databases in September.

Bob Diachenko, director of cyber risk research at Hacken.io, said in his blog post that the files were labeled “compromised” by the search engine — meaning the database contained a file with a ransom demand note asking for popular cryptocurrency Bitcoin. (Attackers will sometimes copy and delete databases before leaving behind a ransom note asking for money to restore the files.)

In this case, the database was unsuccessfully deleted, and the data was still available.

Upon discovering the breach, Diachenko said, he sent emails to FitMetrix and Mindbody to alert them to the exposed database. Mindbody responded and the database was secured on Oct. 10.

Mindbody acquired Atlanta-based FitMetrix in February for $15.34 million, according to a filing with the Securities and Exchange Commission.

The smaller company provides digital performance tracking for boutique fitness studios, gyms and health clubs to help them track, rank, display and instantly reward clients based on their real-time exercise results.

It was one of several high-profile acquisitions for Mindbody as the company, which employs 1,500 people around the world, looks to expand its operations.

Kaytlyn Leslie: 805-781-7928, @kaytyleslie

Mindbody’s Women in Tech group hosted a “Get Geeked In Tech” event for middle and high schoolers on Oct. 15, 2017.

Related stories from San Luis Obispo Tribune

  Comments