Ontario-based fitness company PumpUp was recently found to have stored sensitive consumer health data and private messages between users on an unsecured Amazon cloud server. Independent researcher Oliver Hough discovered the vulnerability and notified the team of news site ZDNet to investigate further the matter.
Hough discovered that the consumer data including email addresses, location, workout records, health information like height and weight of the user as well as credit card information was accessible on the unsecured server.
Following which ZDNet tried to inform PumpUp of the breach, most of which landed on deaf ears. The vendor also did not immediately respond to an ISMG request for comment on the breach. “The MQTT server did not have any authentication enabled; anyone with the knowledge to connect to an MQTT could connect and view all messages in transit,” Hough says. “They quietly closed off access; the MQTT server no longer responds at all,” Hough says. “I can’t say much more as PumpUp won’t speak to me or anyone else.”
According to ZDNet, PumpUp has about 6 million users in its apps. It is unclear how many of the data was exposed.
However, according to several reports other than Hough, the officials of PumpUp stated that they aren’t aware of anyone else who had accessed the information. “Beyond the security researcher who originally came across the vulnerability, we are not aware of any other individuals who were aware of this situation or who had access to any of the data,” CEO Garrett Gottlieb wrote in a statement to Global News.