Kinomap, a fitness software company suffered a data breach in which the database was found exposed on the Internet leaving 42 million user records open and viewable for over a month.
The open-database hunting team of Noam Rotem and Ran Locar of vpnMentor’s found the data breach on March 16.
Kinomap provides several interactive workout videos with various types of fitness machines, including the popular Peloton products, along with coaching and personal trainer videos.
The database contained 40GB of records of 42 million people from 80 countries. The Personally Identifiable Information (PII) includes full names, home country, email addresses, usernames for Kinomap accounts, gender, timestamps for exercises and the date of joining the app.
After the breach was confirmed, the researchers contacted Kinomap through email on March 18 and then again on March 30 but did not receive a response. VPNMentor contacted the Commission nationale de l’informatique et des libertés (CNIL), France’s independent data privacy regulator after the second attempt. The researchers stated that the record repository was not locked down until April 12.
Kinomap President Philippe Moity said that the database was closed immediately on the day it was informed of the issue and that the information contained was that of registrations and not individual users.
Moity also stated that they use elastic to deliver public information on videos, members, activities quickly on their website and in the apps. Now that they have asked for a 3rd-party security auditor to make a deeper analysis and report regarding the issue.
The researchers said that the software also has a social media feature that includes a user bio and other data points that could be pulled together and used in a malicious way.
If an attacker found this database, they could easily combine the information contained within in numerous ways, creating severe damaging fraud schemes and other forms of online attack.
Besides, the information in the database would also let the Kinomap accounts to be taken over as the Kinomap API keys were found. This would provide the attacker with total access to an account by locking out the owner.