A data exposure incident at Hello Gym, a Minnesota-based fitness technology service provider, revealed an unsecured database containing 1.6 million audio recordings (phone calls and voicemails) of gym members from 2020 to 2025. The exposed files included Personally Identifiable Information (PII) such as customer names, phone numbers, and call details, collected by independent gym franchisees via Hello Gym’s third-party service. The database lacked password protection, allowing unauthorized access until researchers disclosed the vulnerability.The breach poses severe risks, including spear-phishing, deepfake scams, and identity theft, as cybercriminals could exploit voice recordings to impersonate individuals or gym staff. While the database was secured post-disclosure, the duration of exposure and potential unauthorized access remain unknown. The incident underscores critical lapses in data security, leaving customers and employees vulnerable to fraud and malicious exploitation of sensitive personal data.
Source: https://hackread.com/hello-gym-data-leak-audio-files-of-gym-members/
TPRM report: https://www.rankiteo.com/company/hellogym
"id": "hel4292542091025",
"linkid": "hellogym",
"type": "Breach",
"date": "6/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1.6 million+ (audio recordings '
'from gym members across US and '
'Canada)',
'industry': 'Fitness / Health & Wellness',
'location': 'Minnesota, USA',
'name': 'Hello Gym',
'type': 'Third-Party Technology Service Provider'},
{'industry': 'Fitness / Health & Wellness',
'location': ['United States', 'Canada'],
'name': 'Multiple Gyms (Franchisees)',
'type': 'Business (Fitness Centers)'}],
'attack_vector': 'Misconfigured/Unsecured Cloud Storage',
'data_breach': {'data_encryption': 'No (data was stored unencrypted in an '
'unprotected database)',
'file_types_exposed': ['Audio files'],
'number_of_records_exposed': '1,605,345',
'personally_identifiable_information': ['Names',
'Phone numbers',
'Call '
'reasons/context'],
'sensitivity_of_data': 'High (voice data enables '
'impersonation, social engineering, '
'and deepfake risks)',
'type_of_data_compromised': ['Audio recordings (phone calls '
'and voicemails)',
'Personally Identifiable '
'Information (PII): names, phone '
'numbers, call context']},
'description': 'An unsecured database managed by Hello Gym, a Minnesota-based '
'company providing technology services to the fitness '
'industry, exposed over 1.6 million audio recordings '
'(1,605,345 files) of gym members. The exposed data included '
'phone recordings and voicemails from 2020 to 2025, containing '
'personally identifiable information (PII) such as customer '
'names, phone numbers, and call reasons. The database was '
'unprotected by a password, making it accessible to anyone '
'with the right knowledge. The exposure poses risks of '
'spear-phishing, deepfake creation, and identity theft. The '
'database was secured shortly after disclosure by researcher '
'Jeremiah Fowler, but the duration of exposure and potential '
'unauthorized access remain unknown.',
'impact': {'brand_reputation_impact': 'High (potential loss of trust due to '
'exposure of sensitive voice data)',
'data_compromised': ['1,605,345 audio files (phone recordings and '
'voicemails)',
'Personally Identifiable Information (PII): '
'customer names, phone numbers, call reasons'],
'identity_theft_risk': 'High (voice data can be used for '
'impersonation, spear-phishing, and '
'deepfake scams)',
'payment_information_risk': 'Indirect (potential for scammers to '
'trick victims into revealing payment '
'details via social engineering)',
'systems_affected': ['Unsecured database storing audio '
'recordings']},
'investigation_status': 'Resolved (database secured; no further details on '
'unauthorized access or duration of exposure)',
'lessons_learned': 'The incident highlights the critical importance of '
'securing cloud databases with authentication mechanisms '
'(e.g., passwords) and encrypting sensitive data, '
'especially voice recordings, which can be exploited for '
'advanced social engineering attacks like deepfakes and '
'spear-phishing. Third-party vendors handling sensitive '
'data must enforce robust security protocols to prevent '
'exposures that could harm end-users across multiple '
'organizations.',
'post_incident_analysis': {'corrective_actions': ['Database secured with '
'password authentication '
'post-disclosure.',
'Potential need for '
'encrypted storage '
'solutions and access '
'controls (not explicitly '
'confirmed).'],
'root_causes': ['Misconfigured cloud storage '
'lacking password protection.',
'Failure to encrypt sensitive '
'audio data.',
'Lack of oversight for third-party '
'vendor (Hello Gym) managing gym '
'franchisee data.']},
'recommendations': ['Implement strong authentication (e.g., multi-factor '
'authentication) for all databases storing sensitive '
'data.',
'Encrypt sensitive data, including audio recordings, to '
'mitigate risks in case of exposure.',
'Conduct regular security audits and penetration testing '
'for third-party vendors handling customer data.',
'Monitor dark web and underground forums for signs of '
'exposed data being traded or exploited.',
'Educate customers about potential phishing risks '
'stemming from exposed voice data and provide guidance on '
'recognizing deepfake scams.'],
'references': [{'source': 'Hackread.com'},
{'source': 'Website Planet (Jeremiah Fowler)'}],
'response': {'containment_measures': ['Securing the unprotected database with '
'password authentication'],
'incident_response_plan_activated': 'Yes (database secured '
'within hours of '
'disclosure)'},
'title': 'Hello Gym Unsecured Database Exposes 1.6 Million Audio Recordings '
'of Gym Members',
'type': 'Data Exposure / Unsecured Database',
'vulnerability_exploited': 'Lack of Authentication (No Password Protection)'}