Tuesday, May 6, 2025
HomeCyber Security NewsFitMetrix Unprotected Passwordless Database Exposed Millions of User​ Data

FitMetrix Unprotected Passwordless Database Exposed Millions of User​ Data

Published on

SIEM as a Service

Follow Us on Google News

Fitmetrix is a fitness company that builds fitness tracking software for the gym, studios that track heart rate and other fitness metrics.

The company exposed a passwordless database hosted on AWS contains millions of customer records such as name, gender, email address, birth date, home and work phone, height, weight and much more.

The huge database with 119GB of data was indexed by Shodan and was found by Bob Diachenko, Director of Cyber Risk Research at Hacken.

- Advertisement - Google News
Passwordless Database

Also, shodan labeled the database as compromised and a readme file inside the database contains a ransom note.

Ransom notes read as follows

“mail”:”abightly59@cock.li”,”note”:”14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3″,”btc“:”ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY”}}]}}

The researcher said that “the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note.”

But the script fails and the database is not encrypted, the Passwordless Database appears to have audit data from July 15th to Sept 19th, 2018.

Diachenko contacted FitMetrix and Mindbody initially there is no response, “Taking into account the size and sensitivity of data, we have decided to contact trusted journalists with whom we worked on several similar cases in the past, so they could reach out to the company via their ‘media channels’ and grab their attention.”

“Finally, after several notification attempts, Mindbody responded and the database was secured on October 10th,” the researcher said in the blog post.

Related Read

Best ways to Lock Down the Highly Sensitive Data From the Massive Breaches

Hackers Uploaded 42M Record that Contains Email Address and Credit Card Data to Free Anonymous Hosting Service

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump...

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively...

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks...

Critical Microsoft 0-Click Telnet Vulnerability Enables Credential Theft Without User Action

A critical vulnerability has been uncovered in Microsoft’s Telnet Client (telnet.exe), enabling attackers to...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump...

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively...

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks...