FitMetrix data exposed on Elasticsearch servers

Posted date 19/10/2018

On October 5, 2018, security researcher Bob Diachenko discovered a database in FitMetrix's Elasticsearch with 119 GB of unsecured customer and gym facilities data. FitMetrix is a Mindbody-owned company that designs software to monitor customer performance in gyms.

The exposed database contained two indexes with 122,869,970 and 113,521,722 million records, respectively. Data leaked included name, sex, email address, birthdate, emergency contact information and customer contact relationship, nickname, shoe size, height and weight, Facebook ID, mobile phone, home phone and activity level.

Jason Loomis, Mindbody CISO, acknowledged the data leak and said they would take advantage of this incident to improve their security. Finally, the database was secured on October 10, 2018.