Over 60 million wearable, fitness tracking records exposed via unsecured database

Source: This article was first published on https://www.zdnet.com/article/over-60-million-records-exposed-in-wearable-fitness-tracking-data-breach-via-unsecured-database/

Data sources included Apple’s HealthKit and Fitbit.

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.

On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth.

Based in New York, GetHealth describes itself as a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.” The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.

On June 30, 2021, the team discovered a database online that was not password protected.

The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information — some of which could be considered sensitive — such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets.

While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple’s HealthKit.

Screenshot1 From Websiteplanet


“This information was in plain text while there was an ID that appeared to be encrypted,” the researchers said. “The geo location was structured as in “America/New_York,” “Europe/Dublin” and revealed that users were located all over the world.”

Also Read:  CISA Launches Insider Threat Self-Assessment Tool

Screenshot2 From Websiteplanet


“The files also show where data is stored and a blueprint of how the network operates from the backend and was configured,” the team added.

References to GetHealth in the 16.71 GB database indicated the company was the potential owner, and once the data had been validated on the day of discovery, Fowler privately notified the company of his findings. GetHealth responded rapidly and the system was secured within a matter of hours. On the same day, the firm’s CTO reached out, informed him that the security issue was now resolved, and thanked the researcher.

“It is unclear how long these records were exposed or who else may have had access to the dataset,” WebsitePlanet said. “[…] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.”