A leading fitness software company may have exposed millions of customer records by failing to protect a cloud database.
Researcher Bob Diachenko said he found the exposed database hosted on AWS via a simple Shodan search for unsecured Elasticsearch instances which could be targeted by ransomware attackers.
He found the cloud store of 119GB of data belonging to Fitmetrix, with two identical sets of data and two IP addresses. Interestingly one was labelled as “compromised” as it contained a ransom note from an ultimately unsuccessful attempt to extort the company.
“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko wrote.
“This script sometimes fails and the data is still available to the user even though a ransom note is created.”
The exposed data included name, gender, email address, birth date, home and work phone, height, weight and much more.
The total number of records affected topped 122 million, although it’s unlikely that all of these contain customer data, according to Diachenko, who estimated that “millions” were still likely to have been affected.
Parent company Mindbody, which acquired the firm earlier this year, finally responded and secured the database five days after first being contacted, on October 10.
Balaji Parimi, CEO of CloudKnox Security, said these incidents are occurring more frequently as complex multi-cloud environments become more popular.
“The most likely scenario in this case is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed. These incidents are rarely malicious. They are the result of what’s emerging as the biggest cyber-threat facing enterprises today: the complexity of and lack of visibility organizations have into their own infrastructure,” he argued.
“In order to mitigate these types of mistakes and the threat they pose, it’s critical for companies to devote cybersecurity resources to gaining better visibility. That means understanding which employees have the types of privileges that can affect the company’s security posture and limiting those privileges to properly-trained, security-conscious employees. With proper visibility and authorization settings, organizations can put real guard rails in place to help prevent these types of mistakes.”