MindBody-owned FitMetrix exposed millions of user records

Due to negligence or forgetfulness, MindBody put user records in jeopardy. It was found that a search engine named Shodan had indexed 3 MindBody servers for a security opening. Security researcher Bob Diachenko found the problem and said the servers were losing data.

MindBody had recently bought FitMetrix for 15.3 million and had inherited this problem from the previous owners. It was not known how long this had been going on. The servers were part of Amazon AWS, specifically Amazon 53, their VM service.

MindBody is a fitness industry, health and fitness company, and it bought out FitMetrix that makes software for gyms and gym classes that display important health indicators as well as fitness metrics for interactive workouts.

The culprit was a storage server left with no password to protect it from unwanted access. So, in turn, a database with 113.5 million records was exposed to anyone who could gain access.

The database contained both personal and vitals of the MindBody clients as well as photos. This information included electronic mail contact information along with a host of other personal information to identify MindBody clients. Because the database had no password, all of this personal information was available to hackers.

The security researcher was Bob Diachenko, who found the wide-open database. Diachenko reached out to MindBody via email to let them know of the security problem.

It’s Diachenko who warned that it would seem, that more than one person besides himself accessed the exposed database.

Jason Lewis from MindBody made a public disclosure telling reporters of the data breach and that no financial or MindBody login information was stolen. He wanted to reiterate that this data breach occurred on FitMetrix servers that were acquired by MindBody and it did not affect MindBody login. He assured reporters that he would fully cooperate with authorities in their investigation.

Diachenko disagreed and said that the database did have personal health information in it and from what he found in the data in the database. TechCrunch found there to be several instances of health information.

MindBody may face stiff penalties for their security problems. Under new laws in Europe, MindBody may have to pay the governing bodies in Europe sizeable amounts of money to rectify this security problem.

MindBody has assured US and European authorities it will fully cooperate with them concerning the data breach but wouldn’t disclose if they would inform their clients of the security problem.

It should be mentioned that a thief left a ransom note in a file on the server. In the note, he demanded 0.1 Bitcoin be deposited to his account for him to restore the downloaded database. Unfortunately for him, he was unsuccessful in deleting the database, leaving no reason to pay the ransom. His bitcoin address was checked, and in total it contained no more than 0.13 Bitcoin. Leaving us to believe that he was not successful in his bid to extort money for the security breach caused by no password.

Leave a Reply

Your email address will not be published. Required fields are marked *