Slashdot Mirror
MindBody-Owned FitMetrix Exposed Millions of User Records -- Thanks To Servers Without Passwords (techcrunch.com)
An anonymous reader writes: FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes -- like CrossFit and SoulCycle -- that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing. Last week, a security researcher found three FitMetrix unprotected servers leaking customer data. It isn't known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.
The servers included two of the same ElasticSearch instances and a storage server -- all hosted on Amazon Web Service -- yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io's director of cyber risk research, found the databases containing 113.5 million records -- though it's not known how many users were directly affected. Each record contained a user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.
The servers included two of the same ElasticSearch instances and a storage server -- all hosted on Amazon Web Service -- yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io's director of cyber risk research, found the databases containing 113.5 million records -- though it's not known how many users were directly affected. Each record contained a user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.
The H1-B outsourcing company that charges the least.
I think the CEO and CISO behind bars for 10 years and having their private fortune impounded to pay for the damage would be a good start. But since the law is not about actually protecting citizens, nothing will happen and that state will continue.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I am the IT specialist of Servers Without Passwords, and after years of working with this non-profit NGO to liberate data in this increasingly locked-down online world, it's heartening to see headlines like these in recognition of our efforts.
They probably outsourced it --- and no where in the requirements did it say "please protect servers with a password"