An unsecured online database is to blame for yet another major privacy incident after fitness tech company Kinomap accidentally leaked 42 million records including personal identity data (PII).
Researchers at vpnMentor found the wide-open data trove as part of an ongoing web mapping project.
It contacted the French firm on March 28 but received no reply. The incident was finally fixed on April 12, after the French data protection regulator had also been informed.
Kinomap allows users to create and share interactive workout videos online. Its name was peppered throughout the 40GB database vpnMentor discovered, containing 42 million records from users across the globe, including North America, Australia, Japan, the UK and several European countries.
PII exposed in the leak apparently included full names, email addresses, home countries, usernames and timestamps for exercises. However, the researchers also found personal data leaking more indirectly.
“Many of the entries contained links to Kinomap user profiles and records of their account activity. Similar to social media accounts, Kinomap profiles can reveal considerable personal details about a user,” vpnMentor explained.
“If a malicious hacker had discovered this database, they could easily combine the information contained in numerous ways, creating highly effective and damaging fraud schemes and other forms of online attack.”
These data entries also included access keys for the Kinomap API, which hackers could use to hijack accounts and lock out the owners, the researchers claimed.
They argued that hackers may be looking to target online exercise apps like Kinomap which have received an influx in users due to current stay-at-home orders. PII like this could offer a great opportunity to carry out follow-on phishing and identity fraud, or to covertly install malware on a user’s phone, vpnMentor added.
That’s besides the potential fall-out for the company if GDPR regulators find systemic negligence is behind the incident.