Slashdot Mirror

← Back to Stories (view on slashdot.org)

MindBody-Owned FitMetrix Exposed Millions of User Records -- Thanks To Servers Without Passwords (techcrunch.com)

Posted by msmash on from the privacy-woes dept.

An anonymous reader writes: FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes -- like CrossFit and SoulCycle -- that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing. Last week, a security researcher found three FitMetrix unprotected servers leaking customer data. It isn't known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two of the same ElasticSearch instances and a storage server -- all hosted on Amazon Web Service -- yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io's director of cyber risk research, found the databases containing 113.5 million records -- though it's not known how many users were directly affected. Each record contained a user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

29 comments

  1. Where do companies find.... by bev_tech_rob · · Score: 1

    ....these pinheads that set up these servers and don't even implement basic security?? Are these folks just non-IT personnel that just wing it while setting these systems up and don't have a clue or IT folks that don't give a rat's a**? I mean, REALLY???? NO PASSWORDS???????

    --
    You're messin' with my Zen Thing, man.....
    1. Re:Where do companies find.... by Anonymous Coward · · Score: 1

      ....these pinheads that set up these servers and don't even implement basic security??

      LinkedIN

    2. Re:Where do companies find.... by quintus_horatius · · Score: 1

      It's probably people getting a proof of concept going, and management saying "perfect, ship it as-is tonight!"

    3. Re:Where do companies find.... by Archangel+Michael · · Score: 1

      People who have been in IT long enough, don't build a proof of concept without planning on that becoming live.

      All of my test systems are built to go live, from the beginning.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:Where do companies find.... by Anonymous Coward · · Score: 1

      A lot of managers believe that security has no ROI, and at worse, the consequences for a breach are minor. Even with the GDPR, a company just shrugs, says that the hackers are unstoppable, and life goes on.

      As someone who has worked in Agile, if a developer has to choose between failing to make deliverables (which will get them fired immediately) versus some security issue that would get the company sued... they will take making their deliverables every time, because there are so many layers insulating them from their misdeeds. Even if a company gets hosed by the GDPR, the dev will suffer few, if any consequences.

      Wish this would be different, but nobody really cares. Think someone would switch from "R" to "D" or vice versa over proposed security/privacy legislation? Nope. Another day, another massive breach.

    5. Re:Where do companies find.... by HarrySquatter · · Score: 2

      The H1-B outsourcing company that charges the least.

    6. Re:Where do companies find.... by ripvlan · · Score: 2

      They probably outsourced it --- and no where in the requirements did it say "please protect servers with a password"

  2. RETARD EDITOR INCOMPETENCE by Anonymous Coward · · Score: 0

    Only an IDIOT protects a server with a password these days. Do msmash and Beau rub their margarita glasses in hallucinogenic bath salts?

  3. I've taken to filling out false data anymore by the_skywise · · Score: 1

    Obviously for "real" stuff (credit cards, shipping addresses) I use real data. But for social activity or something like this I'll use a fake name and even a fake birthdate (but would keep the year accurate so, y'know, it doesn't tell me i'm capable of pushing my HR to 200 when it should only be 180).

    Makes for interesting ads and assumptions for targetting (when the ads get through my browser)

    1. Re:I've taken to filling out false data anymore by ripvlan · · Score: 1

      Yes. I now use the last 4 digits of my phone# for SSN these days. It works amazing well.

      It's just a security question. And I also use a different month for DOB too (January 1, Feb 1, March 1 etc). Facebook is January (1), LinkedIn is Feb (2), Google is March (3), TicketMaster is (4) etc etc. This way when my data is stolen I know where the leak came from.

      I have a scheme written down - just in case they ask me to prove myself.

  4. From a management perspective, the real problem: by remoteshell · · Score: 1

    Is that the records weren't fully filled out. Fire the data entry clerks!

    --
    Just the washing instructions on life's rich tapestry
  5. Servers Without Passwords by Anonymous Coward · · Score: 0

    That's a great name for an international organization involved in exchanges of culture, resources and best practices.

  6. GDPR by Anonymous Coward · · Score: 0

    Sounds like someone hasn't heard of GDPR, and is about to find out about it the very hard and expensive way.

  7. Re:goverment incompetence by Anonymous Coward · · Score: 0

    WTF are you even talking about? Was the US government involved with FitMetrix at all? .... NOPE you fucking trump supporting right wing ass twat.

  8. Re:goverment incompetence by Anonymous Coward · · Score: 0

    What does the government have to do with this? The government didn't buy them. Another company did. You're an idiot and need to learn how to read.

  9. Link to dump? by Anonymous Coward · · Score: 0

    Does anyone have a torrent/link to the dump? This data could be very interesting to us nerds.

  10. Re:goverment incompetence by HarrySquatter · · Score: 1

    This isn't even good trolling...

  11. AWS by lashi · · Score: 1

    Hosted by AWS? Doesn't AWE ask to set up password by default?

    1. Re:AWS by gweihir · · Score: 1

      You can get "public" storage on AWS that you can hand out links to, no password required for read access. Of course, nobody with at least 1 brain cell uses this for confidential data.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Time to start to make them pay by gweihir · · Score: 2

    I think the CEO and CISO behind bars for 10 years and having their private fortune impounded to pay for the damage would be a good start. But since the law is not about actually protecting citizens, nothing will happen and that state will continue.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Time to start to make them pay by Anonymous Coward · · Score: 0

      I'm sure you would love for the government to seize private cititzens assets when they have no liability. Until they come for yours.

      And, DUH!

  13. Servers Without Passwords by Anonymous Coward · · Score: 3, Funny

    I am the IT specialist of Servers Without Passwords, and after years of working with this non-profit NGO to liberate data in this increasingly locked-down online world, it's heartening to see headlines like these in recognition of our efforts.

  14. Is this what Richard Stallman recommended? by micahraleigh · · Score: 0

    Didn't he want everyone to use the same password? Or no passwords?

  15. Re:goverment incompetence by Anonymous Coward · · Score: 0

    Found the libtard apologist. Every time huge goverment failures come out guys like you, perhaps paid to do this, start defending it by accusing normal everyday americans like me of being a troll. sad.

  16. Lawsuit by Anonymous Coward · · Score: 0

    Here's hoping they eat a big fat lawsuit

  17. Re:goverment incompetence by Anonymous Coward · · Score: 0

    Read the article libtard. Government approved this companys operation. Of course it was done under Obama and Clinton so you criminal colluding democrat party types dont care.