A misconfigured AWS S3 bucket at V Shred exposed more that one million files, including PII on 99,000 people associated with the fitness brand’s customers.

Researchers at vpnMentor led by Noam Rotem and Ran Locar discovered the open server and alerted the company, which apparently removed the file containing the most PII, but kept the bucket itself open.

The AWS bucket, whose URL contained “vshred,” and which contained files with the company’s logo and other identifiers “was completely opened to the public,” the researchers wrote in a blog post.

“V Shred claimed it was necessary for user files to be publicly available and denied that any PII data had been exposed,” the researchers said.