FitMetrix data exposed on unprotected Elasticsearch servers

A trio of unprotected Elasticsearch servers hosted by Amazon Web Service (AWS) left 113.5 million records of fitness tracking company FitMetrix customers exposed, according to the security researcher who discovered the databases.

The company, which creates software for the likes of SoulCycle and CrossFit, was acquired in February by wellness technology vendor Mindbody, failed to protect the data with passwords, Director of Cyber Risk Research Bob Diachenko wrote in a blog post.

“A FitMetrix-related Elasticsearch database with 119GB of data ended up being indexed by Shodan search and found by me on October 5,” Diachenko said. “Moreover, it has been labeled by Shodan as 'compromised' meaning that database contains a 'Readme' file with a ransom demand note.”

Elasticsearch and other popular non-SQL databases, he said, “were targeted by malicious actors for a long time now.”

Apparently, the attackers used “a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko said, explaining that the “script sometimes fails and the data is still available to the user even though a ransom note is created.”

He noted that the database contained “daily FitMetrix audit data” from July 15 to Sept. 19, including names, email addresses, phone numbers, gender, profile pics, emergency contacts and workout locations, and emergency contacts, and that an API key was visible as well.

Mindbody CISO Jason Loomis said the company “took immediate steps to close this vulnerability” once the data exposure was discovered, according to Techcrunch, “Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information.”

Exposures like that at FitMetrix occur “more frequently than ever with enterprises running complex multicloud environments,” said Balaji Parimi, CEO at CloudKnox Security. “The most likely scenario, in this case, is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed.”

While they’re “rarely malicious,” he said the incidents stem from the “the complexity of and lack of visibility organizations have into their own infrastructure,” which he called the “biggest cyber threat facing enterprises today.”

Pat Cable, senior infrastructure security engineer, Threat Stack, said the incidents occur “where security has taken a backseat to availability.”

He said teams should “assess whether or not the storage system they’re using is risk-appropriate for the information they’re storing.”

While its challenging “to do this in organizations experiencing M&A transition…, establishing visibility can help you expose and assess the process changes that need to happen,” said Cable.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.