Fitness app PumpUp left users' personal data exposed on server

Email addresses, biological information and even potentially credit card numbers.

Updated ·1 min read

While it's not at the catastrophic level of MyFitnessPal's 150 million-user data breach , the company behind the workout app PumpUp left information for 6 million of its members exposed. The Amazon cloud-hosted back-end server holding the data didn't have a password set up for an uncertain lenght of time, enabling anyone to observe sign-ins and exchanged messages.

According to ZDnet, the server is now secured -- but it's still exposing data when it acts as a broker exchanging user messages. It uses a communication protocol normally reserved for communicating with Internet of Things devices and apps, which is low-bandwidth but transitory, letting anyone peer in and observe data as it's being sent back and forth.

Message senders had their profile data and personal information exposed to whoever was looking -- not just email addresses, location and workout records, but all the health information users self-reported, like height, weight, health concerns, medications and how much they drank and/or smoked. It also exposed their device data, like IP addresses and session tokens, which malefactors could use to sign in to a user's account without needing a password. Worse, even credit card data might have been exposed during exchanges.

Security expert Oliver Hough reportedly discovered the issue and tipped off ZDNet, which tried to inform PumpUp for a week. We've reached out and will include the company's response if we hear back.