[BreachExchange] MINDBODY Co Data Breach Could Impact 113.5M Users

Destry Winant destry at riskbasedsecurity.com
Mon Oct 15 09:16:45 EDT 2018


FitMetrix, a fitness technology and performance tracking company owned
by MINDBODY, has suffered a data breach that could impact 113.5
million users. The company, which builds fitness tracking software for
gyms and group classes, was acquired by gym and wellness scheduling
service MINDBODY earlier this year for $15.3 million.

Bob Diachenko, Hacken’s director of cyber risk research, revealed the
breach was caused by several servers that were left without a
password. Each record contained a user’s name, gender, email address,
phone numbers, profile photos, their primary workout location,
emergency contacts and more.

Diachenko added that one of the databases even contained a ransom
demand note. “It appears that the attackers are using a script that
automates the process of accessing a database, possibly exporting it,
deleting the database and then creating the ransom note,” he wrote.

While Diachenko contacted the company via email address a week ago to
notify them of the issue, the company only secured the server after
being contacted by another publication.

“We recently became aware that certain data associated with FitMetrix
technology stored online may have been publicly exposed,” said Jason
Loomis, MINDBODY’s chief information security officer. “We took
immediate steps to close this vulnerability. Current indications are
that this data included a subset of the consumers managed by
FitMetrix, which was acquired by MINDBODY in February 2018, and did
not include any login credentials, passwords, credit card information
or personal health information.”

However, Diachenko said there was “some” health information in the
data, and publication also found several records that included height,
weight and shoe sizes of users. MINDBODY spokesperson Jennifer Saxon
would not elaborate on the incident any further, but the company said
it will “comply with all applicable legal obligations” in reporting
the data exposure to U.S. and European authorities. However, it
wouldn’t comment on whether or not it will inform customers of the
security lapse.

More information about the BreachExchange mailing list