Wednesday, February 21, 2024

FitMetrix Unprotected Passwordless Database Exposed Millions of User​ Data

Fitmetrix is a fitness company that builds fitness tracking software for the gym, studios that track heart rate and other fitness metrics.

The company exposed a passwordless database hosted on AWS contains millions of customer records such as name, gender, email address, birth date, home and work phone, height, weight and much more.

The huge database with 119GB of data was indexed by Shodan and was found by Bob Diachenko, Director of Cyber Risk Research at Hacken.

Passwordless Database

Also, shodan labeled the database as compromised and a readme file inside the database contains a ransom note.

Ransom notes read as follows

“mail”:”[email protected]”,”note”:”14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3″,”btc“:”ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY”}}]}}

The researcher said that “the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note.”

But the script fails and the database is not encrypted, the Passwordless Database appears to have audit data from July 15th to Sept 19th, 2018.

Diachenko contacted FitMetrix and Mindbody initially there is no response, “Taking into account the size and sensitivity of data, we have decided to contact trusted journalists with whom we worked on several similar cases in the past, so they could reach out to the company via their ‘media channels’ and grab their attention.”

“Finally, after several notification attempts, Mindbody responded and the database was secured on October 10th,” the researcher said in the blog post.

Related Read

Best ways to Lock Down the Highly Sensitive Data From the Massive Breaches

Hackers Uploaded 42M Record that Contains Email Address and Credit Card Data to Free Anonymous Hosting Service

Website

Latest articles

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...

VMware Urges to Remove Enhanced EAP Plugin to Stop Auth & Session Hijack Attacks

VMware has issued an urgent advisory to administrators to remove a deprecated authentication plugin...

LockBit Ransomware Members Charged by Authorities, Free Decryptor Released

In a significant blow to one of the most prolific ransomware operations, authorities from...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles