Fitness apps continue to have problems with securing user data, as a new report sheds light on a leak that revealed health data, private messages and even unencrypted credit card data in some cases.

The fitness and workout community app PumpUp — which boasts more than six million users — was the culprit this time around, according to a report from ZDNet. Security researcher Oliver Hough found an exposed backend server on Amazon’s cloud that allowed anyone to see user content being transferred in real-time.

The list exposed a great deal of information, including email addresses, birthdates, locations, workout and activity goals, profile photos, blocked users, and the private contents of messages.

User-submitted health data was also exposed, ZDNet says. That information included height, weight, caffeine and alcohol consumption, smoking habits, medications, and other health concerns.

[We’ve issued a warning before. Read our article Stay Aware: Security Risks In Fitness Apps.]

As if all that weren’t enough, device data could have been seen by anyone — including IP addresses — and linked Facebook accounts could have been at risk, as well. “Some” cases also included unencrypted credit cards, including all relevant card numbers needed for making a purchase.

Due to the nature of the leak, it’s unlikely all the data was exposed, as Hough points out. However, there’s no way of knowing what was actually exposed and what wasn’t, so all users were potentially at risk.

No Response?

PumpUp isn’t the biggest fitness app to suffer a reported data incident this year — 150 million accounts were exposed in the MyFitnessPal breach, and Strava had some well-publicized issues  with its Global Heatmap. But some unlucky PumpUp users may have had more private data revealed than users of those other apps.

The leak is disturbing enough on its own, but just as unnerving is the company’s inability to comment on it. ZDNet says “the server is thought to have been quietly secured earlier this week,” but neither PumpUp nor its backers commented on the story, to either refute or confirm.

PumpUp’s Twitter account has said nothing about the leak as of this writing, nor has the company’s website. We’ll see if any updates are forthcoming, but it’s not a promising sign.

Comments