FitMetrix exposes millions of customer details via insecure ElasticSearch server cluster

• The servers were left insecure, allowing anyone who knows were to find the data, to also access it.
• Hackers could launch effective social-engineering attacks using the exposed information.

FitMetrix, a fitness technology and activity tracking company owned by gym booking giant, Mindbody, has exposed millions of customer details. The incident occurred due to several servers that were left insecure, and all sensitive records were accessed by cybercriminals prior to the public access being shut down.

The exposed information includes customer data, contact information, birth dates and height / weight data, emergency contact information and the contact’s relationship with the customer. Other information such as nicknames, shoe size, Facebook ID, home phone and activity level were also available. The information exposed opens door for the cybercriminals who have access to the data to launch effective social-engineering attacks.

The Hacken security team came across the open database while examining Shodan Internet of Things (IoT) search engine for accessible Elasticsearch buckets. According to Hacken security team, Elasticsearch is a database that stores, retrieves and manages document-oriented and semi-structured data. Elasticsearch also remains one of the most popular targets for malicious actors, added Hacken.

It is still unknown for how long the servers had remained exposed without any password protection. The servers included two of the same Elasticsearch instances and a storage server all hosted on Amazon Web Service. However, none of them were password protected, allowing anyone who knew where to look for the data to access it.

Bob Diachenko, director of cyber-risk research at Hacken said, the database contained 119GB of data with two different indexes: The total count of records in ‘platformaudit’ was 122,869,970 and records in ‘fitmetrixaudit’ was 113,521,722. Diachenko could access the database without any password or login credentials when he found out the data on Oct. 5. Researchers also said that the exposed data could be used to launch social-engineering attacks on the customers.

“We assume that not all of those records represent customer records. Part of the records relate to ‘facility’ descriptions, but nevertheless the numbers are big,” Diachenko said in a posting this week.

However, Diachenko wasn’t the only person who has found the records. A ransom note was hidden by one of the attacker who claimed to have downloaded the database contents and would restore it for Bitcoins. But Diachenko said the attacker failed to delete the data. The demand made by the hacker was 0.1 Bitcoin - amounting to $650 dollars by todays rate.

Diachenko did send several emails to FitMetrix and Mindbody to privately alert them on the exposed database, but did not get any response from both the compaines.

Later Diachenko did go public with his findings. “Taking into account the size and sensitivity of data, we have decided to contact trusted journalists with whom we worked on several similar cases in the past, so they could reach out to the company via their 'media channels' and grab their attention.” he said.

However, after alerting media, Mindbody responded to the alerts and secured the database on October 10th.