Over 60 million wearable, fitness tracking records exposed via unsecured database

An unsecured database containing over 61 million data associated with wearable generation and health products and services was once left uncovered on-line.

On Monday, WebsitePlanet, in conjunction with cybersecurity researcher Jeremiah Fowler, mentioned the database belonged to GetHealth. 

Primarily based in New York, GetHealth describes itself as a “unified strategy to get admission to fitness and wellness information from masses of wearables, scientific units, and apps.” The company’s platform is in a position to pull health-related information from resources together with Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Are compatible. 

On June 30, 2021, the workforce found out a database on-line that was once now not password safe. 

The researchers mentioned that over 61 million data had been contained within the information repository, together with huge swathes of person data — a few of which might be thought to be delicate — corresponding to their names, dates of beginning, weight, top, gender, and GPS logs, amongst different datasets. 

Whilst sampling a suite of roughly 20,000 data to make sure the information, the workforce discovered that almost all of knowledge resources had been from Fitbit and Apple’s HealthKit.

screenshot-2021-09-13-at-17-02-11.png

WebsitePlanet

“This data was once in simple textual content whilst there was once an ID that gave the impression to be encrypted,” the researchers mentioned. “The geo location was once structured as in “The us/New_York,” “Europe/Dublin” and published that customers had been positioned in every single place the sector.”

screenshot-2021-09-08-at-15-18-57.png

WebsitePlanet

“The recordsdata additionally display the place information is saved and a blueprint of the way the community operates from the backend and was once configured,” the workforce added.

References to GetHealth within the 16.71 GB database indicated the corporate was once the prospective proprietor, and as soon as the information have been validated at the day of discovery, Fowler privately notified the corporate of his findings. GetHealth answered all of a sudden and the device was once secured inside of an issue of hours. At the similar day, the company’s CTO reached out, knowledgeable him that the protection factor was once now resolved, and thanked the researcher. 

“It’s unclear how lengthy those data had been uncovered or who else could have had get admission to to the dataset,” WebsitePlanet mentioned. “[…] We don’t seem to be implying any wrongdoing by means of GetHealth, their consumers, or companions. Nor, are we implying that any buyer or person information was once in danger. We had been not able to resolve the precise collection of affected people earlier than the database was once limited from public get admission to.”

ZDNet has reached out to GetHealth with further queries and we will be able to replace once we pay attention again.

Earlier and linked protection


Have a tip? Get in contact securely by the use of WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0


Leave a Reply

Your email address will not be published. Required fields are marked *