Latest in Security

Image credit: Westend61 via Getty Images

Fitness app PumpUp left users' personal data exposed on server

Email addresses, biological information and even potentially credit card numbers.
366 Shares
Share
Tweet
Share

Sponsored Links

Westend61 via Getty Images

While it's not at the catastrophic level of MyFitnessPal's 150 million-user data breach , the company behind the workout app PumpUp left information for 6 million of its members exposed. The Amazon cloud-hosted back-end server holding the data didn't have a password set up for an uncertain lenght of time, enabling anyone to observe sign-ins and exchanged messages.

According to ZDnet, the server is now secured -- but it's still exposing data when it acts as a broker exchanging user messages. It uses a communication protocol normally reserved for communicating with Internet of Things devices and apps, which is low-bandwidth but transitory, letting anyone peer in and observe data as it's being sent back and forth.

Message senders had their profile data and personal information exposed to whoever was looking -- not just email addresses, location and workout records, but all the health information users self-reported, like height, weight, health concerns, medications and how much they drank and/or smoked. It also exposed their device data, like IP addresses and session tokens, which malefactors could use to sign in to a user's account without needing a password. Worse, even credit card data might have been exposed during exchanges.

Security expert Oliver Hough reportedly discovered the issue and tipped off ZDNet, which tried to inform PumpUp for a week. We've reached out and will include the company's response if we hear back.

Source: ZDNet
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
366 Shares
Share
Tweet
Share

Popular on Engadget

Windows users can now log in using Yubico security keys

Windows users can now log in using Yubico security keys

View
Watch NASA's first all-woman spacewalk

Watch NASA's first all-woman spacewalk

View
US military will no longer use floppy disks to coordinate nuke launches

US military will no longer use floppy disks to coordinate nuke launches

View
SpaceX begins construction of its next-generation Starship rockets

SpaceX begins construction of its next-generation Starship rockets

View
Lebanon plans to charge a fee for internet voice calls

Lebanon plans to charge a fee for internet voice calls

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr