Fitness company data leak affects 99,000 customers, trainers — what to do

Fettle company data leak affects 99,000 customers, trainers — what to do

(Image credit: Shutterstock)

The personally identifiable data of more than 99,000 customers of Las Vegas-based diet-supplement and do-program company V Shred may have been left exposed online due to an insecure database.

V Shred describes itself as a fast-growing "fitness, nutrition and supplement brand" with tens of thousands of customers in 119 countries and 12 meg unique website visitors.

The all-time antivirus software to keep you and your devices safe
VPN: add together an extra layer of security with a virtual individual network
Just In: BMW, Mercedes and Hyundai owners hit by massive data breach

Merely researchers at VPNMentor said they had establish an unsecured Amazon Web Services "bucket" that held one.3 1000000 personal files and 606GB of data in total.

"Past not protecting these files, Five Shred compromised the privacy and security of its customers and left them exposed to bullying, fraud, and more than," wrote the researchers in a blog post yesterday (July 2).

The unprotected AWS bucket, found by the researchers May xiv, consisted mainly of three big comma-separated-values files, which are simple databases that can exist easily opened by Microsoft Excel or other spreadsheet programs.

Merely the bucket too contained profile photos, "before and after body photos" of customers -- some "very revealing" -- and data nigh meal plans.

According to the researchers, the unsecured photos and documents "contained various pieces of personally identifiable information (PII) data that revealed sensitive information about the people exposed."

Tom's Guide has reached out to Five Shred'due south parent company, Sculpt Nation, for comment. We will update this story when nosotros receive a reply.

Putting thousands at risk

The three CSV files contained the personal information from tens of thousands of individuals from across the earth.

Each file had a unlike purpose. One contained 96,000 entries from a sales-lead-generation list; the second independent 3,522 entries from an electronic mail-address listing; and the third contained the personal information of 52 trainers who worked for or with the visitor.

The researchers warned that the "CSV files presented a much greater firsthand risk" due to the fact that they "contained huge amounts of PII data for each individual listed".

VPNMentor said the CSV files included information like total names, home addresses, emails, telephone numbers, birthdays, Social Security numbers, spouse names, social media accounts, username and passwords, gender, health conditions, age, citizenship and more.

The report didn't say whether the passwords were "hashed," or protected by one-way encryption, in any manner. Because of that lack of data, information technology's probably all-time to assume the worst, and then if you accept a V Shred business relationship, change its countersign now. (And employ ane of the best countersign managers to create and handle it.)

The Social Security numbers presumably belonged to the 52 trainers, every bit U.Due south. companies normally collect such data only from employees or contractors. But if y'all're one of those people, best to sign up with 1 of the best identity-theft-protection services at present.

Lack of action

The researchers contacted V Shred and AWS to alert them of the alienation in May, but 5 Shred took a month to remove the files containing personal information from the AWS saucepan.

The fettle firm told VPNMentor that information technology "would be leaving all other files publicly accessible" because V Shred customers needed to be able to access their meal plans, workout instructions and before-and-after photos.

Charlie Osborne at ZDNet had a look at the data that was still accessible and confirmed that it included "visitor materials ... nutrition guides, workout plans, and user photos."

In terms of the touch of this alienation, VPNMentor warned that "malicious hackers and cybercriminals could create very effective phishing campaigns targeting V Shred customers".

That's true, but only if malicious hackers were to get access to the exposed information. There'south no indication that anyone other than VPNMentor did before the files were secured, which is why we're not calling this a data breach.

Yet, plenty of people are indeed snooping effectually the internet trying to discover unsecured AWS buckets.

VPNMentor's report added: "V Shred is a young company and appears to be run by a modest team. However, it'south still responsible for protecting the people using its products and signing up for its services.

"By not doing so, 5 Shred has jeopardized the privacy and security of the people exposed, and the future of the company itself."

More: Protect your employees and clients with the best business VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Adjacent Spider web, T3, Android Cardinal, Reckoner Weekly, and many others. He likewise happens to exist a diehard Mariah Carey fan!