Latest in Security

Image credit:

Fitness app PumpUp left users' personal data exposed on server

Email addresses, biological information and even potentially credit card numbers.
Share
Tweet
Share

Sponsored Links

Westend61 via Getty Images

While it's not at the catastrophic level of MyFitnessPal's 150 million-user data breach , the company behind the workout app PumpUp left information for 6 million of its members exposed. The Amazon cloud-hosted back-end server holding the data didn't have a password set up for an uncertain lenght of time, enabling anyone to observe sign-ins and exchanged messages.

According to ZDnet, the server is now secured -- but it's still exposing data when it acts as a broker exchanging user messages. It uses a communication protocol normally reserved for communicating with Internet of Things devices and apps, which is low-bandwidth but transitory, letting anyone peer in and observe data as it's being sent back and forth.

Message senders had their profile data and personal information exposed to whoever was looking -- not just email addresses, location and workout records, but all the health information users self-reported, like height, weight, health concerns, medications and how much they drank and/or smoked. It also exposed their device data, like IP addresses and session tokens, which malefactors could use to sign in to a user's account without needing a password. Worse, even credit card data might have been exposed during exchanges.

Security expert Oliver Hough reportedly discovered the issue and tipped off ZDNet, which tried to inform PumpUp for a week. We've reached out and will include the company's response if we hear back.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

SpaceX launches its original Dragon capsule for the last time

SpaceX launches its original Dragon capsule for the last time

View
Facebook's experimental Stories feature lets users cross-post to Instagram

Facebook's experimental Stories feature lets users cross-post to Instagram

View
Roku is giving away 30 days of premium video

Roku is giving away 30 days of premium video

View
YouTube Music's redesigned playback screen includes lyrics

YouTube Music's redesigned playback screen includes lyrics

View
Mercedes' new E-Class knows when you're holding the wheel

Mercedes' new E-Class knows when you're holding the wheel

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr