A trio of unprotected Elasticsearch servers hosted by Amazon Web Service (AWS) left 113.5 million records of fitness tracking company FitMetrix customers exposed, according to the security researcher who discovered the databases.
The company, which creates software for the likes of SoulCycle and CrossFit, was acquired in February by wellness technology vendor Mindbody, failed to protect the data with passwords, Hacken.io Director of Cyber Risk Research Bob Diachenko wrote in a blog post.
âA FitMetrix-related Elasticsearch database with 119GB of data ended up being indexed by Shodan search and found by me on October 5,â Diachenko said. âMoreover, it has been labeled by Shodan as ‘compromised’ meaning that database contains a ‘Readme’ file with a ransom demand note.â
Elasticsearch and other popular non-SQL databases, he said, âwere targeted by malicious actors for a long time now.â
Apparently, the attackers used âa script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,â Diachenko said, explaining that the âscript sometimes fails and the data is still available to the user even though a ransom note is created.â
He noted that the database contained âdaily FitMetrix audit dataâ from July 15 to Sept. 19, including names, email addresses, phone numbers, gender, profile pics, emergency contacts and workout locations, and emergency contacts, and that an API key was visible as well.
Mindbody CISO Jason Loomis said the company âtook immediate steps to close this vulnerabilityâ once the data exposure was discovered, according to Techcrunch, âCurrent indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information.â
Exposures like that at FitMetrix occur âmore frequently than ever with enterprises running complex multicloud environments,â said Balaji Parimi, CEO at CloudKnox Security. âThe most likely scenario, in this case, is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed.â
While theyâre ârarely malicious,â he said the incidents stem from the âthe complexity of and lack of visibility organizations have into their own infrastructure,â which he called the âbiggest cyber threat facing enterprises today.â
Pat Cable, senior infrastructure security engineer,Â Threat Stack, said the incidents occur âwhere security has taken a backseat to availability.â
He said teams should âassess whether or not the storage system theyâre using is risk-appropriate for the information theyâre storing.â
While its challenging âto do this in organizations experiencing M&A transitionâ¦, establishing visibility can help you expose and assess the process changes that need to happen,â said Cable.
Site Search 360 Reports