Insecure Database Affects 60 Million User Data

Security: The HealthKit and Fitbit apps have leaked sensitive user data.

An unsecured database containing more than 61 million records relating to wearable technology and fitness services has been put online. The threat of ransomware continues to grow: On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the insecure database was owned by GetHealth.

New York-based GetHealth describes itself as a “unified solution for accessing health and wellness data from hundreds of smartphones, medical devices and apps”. The company’s platform is capable of extracting health-related data from sources such as Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.

The researchers claim that more than 61 million records were contained in the data repository, including large swathes of user information – some of which could be considered sensitive – such as their names, dates of birth, weight, height, sex and GPS logs.

Majority of data comes from HealthKit and Fitbit
By sampling a set of around 20,000 records to verify data, the team found that the majority of data sources came from Apple’s Fitbit and HealthKit apps.

“This information was in clear text while there was an identifier that appeared to be encrypted,” say the researchers. “The geolocation was structured like in ‘America / New York’, ‘Europe / Dublin’ and revealed that users were located all over the world. ”

“The files also show where the data is stored and a map of how the network is operating from behind and has been configured,” the team adds.

References to GetHealth in the 16.71 GB database indicate that the company is the potential owner. After the data was validated on the day of the discovery, Jeremiah Fowler privately briefed the company on his findings. GetHealth responded quickly and the system was secure within hours. The same day, the technical director of the company contacted him, informed him that the security issue was now resolved and thanked the researcher.

“We do not know how long these recordings were exposed or who else could have access to all the data,” asks WebsitePlanet.

“We do not involve any wrongdoing on the part of GetHealth, its customers or its partners. We also do not imply that customer or user data was at risk. We were unable to determine the exact number of people affected before access to the database was restricted to the public. “