PayAsUGym, which sells passes to gyms around the country so customers might avoid lengthy contracts, has confirmed that on Thursday one of its servers has been a victim of a cyber-attack.
The firm said that as a result of the attack, the email addresses and passwords of its 305,000 users had been stolen.
Those customers have now all been emailed and advised to change their password and the company has also migrated to a new server after it sought advice from cyber-security experts.
The email, which went out to customers on Friday, said, “passwords are encrypted when saved in the database, nevertheless I would encourage you to change your password.”
It went on, "one of the company's IT servers was accessed by an unauthorised person".
That person is allegedly a person on Twitter named “1×0123” (@real_1x0123), who's tweets show theyattempting to contact PayAsUGym on Twitter alerting them to the breach, but with not much by way of response.
Speaking with website DataBreaches.net, 1×0123 described the abilities he managed to acquire on the PayAsUGym website (edited for clarity): “I have permissions to read/write on the server, delete content, change content from the home page. I can control domains including subdomains, read all databases inside MySQL. Access to SFTP to manage files, and access to SSH to control the server.”
1×0123 claimed that he acquired the information using a zero-day provided by a friend.
PayAsUGym claims that it uses, “leading technological and security measures (electronic, physical and procedural) to ensure the safety and confidentiality of your Customer Information through collection , storage and disclosure.”
1×0123 informed DataBreaches.net that the password for those was “getme1n.”
And despite PayAsUGym's statement, which might suggest that all customer data is stored in the UK: “Customer Information collected by PayasUgym is stored on a central database hosted by UK Fast our carefully selected third party provider in the UK” a screenshot provided by 1×0123 shows that customer data was on a server in Holland.
PayAsUGym said once it was alerted to this incident, it "closed down" the breach and contacted the police.
The firm said that no financial credentials were stolen as the website uses a "tokenised system" for customer payments which, it says, means card details are stored at the payment gateway - not on its servers.
"This is the highest level of security process for dealing with payments," it said.
PayAsUGym added: "We take the security of customer information very seriously. Unfortunately cyber-attacks are becoming more frequent which is why, as a policy, we do not (and will never) hold financial or credit card details and we insist that all passwords are encrypted when stored."