A fitness software company Fitmetrix may have exposed a database hosted on AWS containing millions of customer records. The exposed records included name, gender, email address, birth date, home and work phone, height, weight and much more.
The huge trove of data was discovered by the expert Bob Diachenko using a simple Shodan query for unsecured Elasticsearch installs.
The expert discovered an archive of 119GB exposed by Fitmetrix on a cloud storage, the noticed two sets of data one of with was labeled as “compromised” that contained a ransom note.
“On October 5th, a member of Hacken security team has been browsing through Shodan looking for exposed Elasticsearch instances which recently could become targets in another spread of ransomware campaigns.” reads a blog post published by Diachenko.
“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note. This script sometimes fails and the data is still available to the user even though a ransom note is created.”
The database includes daily FitMetrix platform audit data in the period between July 15th and Sept 19th 2018. The total number of records in ‘platformaudit’ indexes was 122,869,970, not all containing customer data.
Diachenko estimated that “millions” other accounts were still likely to have been affected.
Mindbody, who owns FitMetrix, secured the database five days after he was informed of the data leak, on October 10.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.