61 Million Personal Data & Fitness Records Leaked – Data from Fitbit, Apple, Samsung, Strava & Others
News is emerging of a potential leak of 21million publically exposed records from the gethealth.io fitness service based in New York. The service has been informed and has taken down their site.
The data includes name, sex, date of birth, location information and more.
This is the first major fitness-related data issue for over a year, the last major event of a similar kind was the suspension of Garmin’s platform following 2020’s Garminpocalypse attack.
Who Are Gethealth.io?
The gethealth platform links to almost all the major fitness platforms and pulls data from them to create a unified stream of health & fitness data for its members.
Am I affected?
If you have ever used the gethealth.io platform you are exposed to the risk of having had your personal information leaked or sold.
If you have never dealt with them you are fine.
What exactly is the risk?
61,053,956 records were stored in an unsecured and mostly-unencrypted database that was visible online and which could have been accessible for days, months or years. It is not known if nefarious hackers accessed the information nor for how long it was exposed.
The site and database were secured yesterday after the original researcher from techspot contacted the company about the issue.
What Data Is Exposed?
Highly personal data has been exposed including name, age, height, weight and geo-location. Alongside that, there are workout, nutrition, sleep and other data that has been pulled in from well-known services including Samsung, Apple Health, Strava, Runkeeper, Google Fit, Fitbit and more besides. However, in a sample of over 20,000 records, the majority of data was sourced from Apple Health with a significant amount also from Fitbit. It should be noted that Apple Health is a repository for the data from potentially hundreds of sport& fitness apps installed on iPhones so your Garmin data could have been synced to Apple Health and then, with your permission, to GetHealth.
However, it’s quite possible that other data sources are heavily represented in the unsampled data.
Are the Apple, Fitbit, Strava Sites Secure?
Yes. They are not at fault. The blame lies squarely with GetHealth.
Unless your login details to these 3rd party sites were leaked by GetHealth then you will be fine. There have been no reports that your login details were leaked and I would be surprised if they were from what I have seen.
Ouch. That will be the end of GetHealth then.