A database from the fitness software company Kinomap was found exposed on the internet leaving the records of 42 million users open and viewable for at least one month.
The data breach was found on March 16 by the open-database hunting team of Noam Rotem and Ran Locar of vpnMentor’s. Kinomap creates immersive, interactive workout videos for use with various types of fitness machines, including the popular Peloton products, along with coaching and personal trainer videos.
The database contained 40GB of records covering 42 million people from 80 countries. The PII included full names, home country, email addresses, usernames for Kinomap accounts, gender, timestamps for exercises and the date they joined Kinomap.
After the duo confirmed the breach, they informed Kinomap of the situaiton by email on March 18 and then again on March 30 but no response was received. After the second contact attempt VPNMentor contacted the Commission nationale de l’informatique et des libertés (CNIL), France’s independent data privacy regulator. The researchers said the record repository was not locked down until April 12.
Kinomap President Philippe Moity told SC Media that it closed the database on the day it was informed of the issue by the CNIL and that the information contained was that of registrations and not individual users. Kinomap did not note any messages from VPNMentor, but it will investigate further to see if it had in fact been contacted earlier.
“We use elastic to deliver public information on videos, members, activities quickly on our website and in the apps. However, we’ve taken the situation seriously as it should and have asked for a 3rd-party security auditor to make a deeper analysis and report,” Moity said.
Rotem and Locar said the software also has a social media feature that includes a user bio and other data points that could be pulled together and used in a malicious fashion.
“If a malicious hacker had discovered this database, they could easily combine the information contained within in numerous ways, creating highly effective and damaging fraud schemes and other forms of online attack,” Rotem and Locar said.
The information in the database could also allow the Kinomap accounts to be taken over as the Kinomap API keys were found. These could give an attacker complete access to an account locking out the owner, they said.