A fitness software company Fitmetrix may have exposed a database hosted on AWS containing millions of customer records. The exposed records included name, gender, email address, birth date, home and work phone, height, weight and much more.
The huge trove of data was discovered by the expert Bob Diachenko using a simple Shodan query for unsecured Elasticsearch installs.
The expert discovered an archive of 119GB exposed by Fitmetrix on a cloud storage, the noticed two sets of data one of with was labeled as “compromised” that contained a ransom note.
“On October 5th, a member of Hacken security team has been browsing through Shodan looking for exposed Elasticsearch instances which recently could become targets in another spread of ransomware campaigns.” reads a blog post published by Diachenko.
“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note. This script sometimes fails and the data is still available to the user even though a ransom note is created.”
The database includes daily FitMetrix platform audit data in the period between July 15th and Sept 19th 2018. The total number of records in ‘platformaudit’ indexes was 122,869,970, not all containing customer data.
Diachenko estimated that “millions” other accounts were still likely to have been affected.
Mindbody, who owns FitMetrix, secured the database five days after he was informed of the data leak, on October 10.