Data for an unknown number of FitMetrix users was left exposed on the Internet via a cluster of ElasticSearch servers, a security researcher has discovered.
The servers, which were not secured with an access password, allowed anyone knowing their IP address to access a trove of information, some of which contained the personal data of FitMetrix users.
According to its website, FitMetrix is a company that provides heart rate monitoring software for gyms, studios, corporate wellness programs, and healthcare professionals. The company was founded in 2013 and acquired earlier this year by Mindbody, Inc., another company that provides a large catalog of cloud-based business management software for the wellness services industry.
The exposed FitMetrix server cluster was discovered by Bob Diachenko, Director of Cyber Risk Research at cyber-security firm Hacken.
Diachenko told ZDNet the exposed ElasticSearch server cluster –a technology used for powering distributed search technologies– contained hundreds of millions of data records.
Not all were customer profiles, and some also contained information about facilities, and other data points, Diachenko told ZDNet, but when user records were exposed, they usually contained the user’s name, gender, birth date, email, username, body size measures, and various FitMetrix program indicators. See the image attached below.
Diachenko told ZDNet he was not able to determine the exact number of user details exposed in the ElasticSearch server cluster, but, in total, the servers appeared to contain over 119GB of data. In an SEC filing, MindBody claimed to serve over 35 million monthly active users, but it is unclear how many of those are using its FitMetrix system.
Additionally, the researcher also says the servers exposed an API key that seemed to be used for managing the FitMetrix server infrastructure.
Last but not least, he also discovered a ransom note that appears to have been written inside the ElasticSearch servers by a remote attacker. This message was as follows:
“ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY”
Ransom notes left inside ElasticSearch servers have been first seen in January 2017, when hackers realized they could place such messages inside exposed servers and trick server owners into paying ransoms. In most reported cases, attackers didn’t delete or encrypt data, but merely hoped to scare a victim into paying the ransom demand.
Nonetheless, the presence of this ransom note means the FitMetrix server was left exposed online enough to be scanned and discovered by at least two persons –Diachenko and the ransomer.
The researcher, who identified the server last week, responsibly disclosed the exposed servers to Mindbody. After several failed attempts of getting in contact with the company, Mindbody secured the servers as soon as they were made aware of the issue yesterday.
“We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed. We took immediate steps to close this vulnerability,” said Jason Loomis, MINDBODY Chief Information Security Officer, in a statement provided to ZDNet via email.
“Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by MINDBODY in February 2018, and did not include any login credentials, passwords, credit card information or personal health information,” he added.
“MINDBODY takes the privacy and security of our customer and consumer data seriously, and we will leverage this incident to continuously improve our security posture.”
Previous and related coverage