Fitness app Kinomap reportedly found 42 million users records vulnerable as it accidentally left its website without password protection. Cybersecurity researchers at vpnMentor found that the data leak supposedly ran for well over a month.
Founded in 2002, Kinomap is a French exercise company that allows users to create and share interactive fitness videos online with the use of the app. At the same time, it also creates a host of workout videos for its users, including but not limited to rowing, cycling, and running on treadmills.
The company is also known for offering fitness videos that offer personal coaching sessions that seek to replicate one-on-one sessions with a personal trainer.
According to vpnMentor researchers Noam Rotem and Ran Locar, the data leak stemmed from an unprotected online database. The database was part of an ongoing web mapping project initiated by the French fitness firm.
The 42 million records exposed included personally identifiable information (PII). These include the full names of users, their respective home countries, email addresses, Kinomap account usernames, gender, timestamps for exercises, and the date of joining.
Apart from the aforementioned personally identifiable information, other personal data were also compromised including the users’ profiles and their account activity.
The data leak made users from various countries at risk, including Australia, Belgium, Canada, Finland, France, Germany, Hungary, Japan, Portugal, South Korea, the United Kingdom, and the United States of America.
Over 80 countries are included in the database vulnerability, said SC Magazine, with the records obtained filling 40-gigabyte worth of storage space.
In a report by SC Magazine, it said that the vpnMentor researchers reached out to the French fitness software maker on March 18, 2020. After hearing no response from the party in question, vpnMentor contacted the firm again come March 30, 2020.
Despite hearing no response from the fitness company, Info Security reports that the vulnerability had been addressed by April 12, 2020. However, it appears that the respective action only came about after the French data protection regulator was informed about the said incident.
In a statement to SC Media, Philippe Moity, president of Kinomap, said that it immediately addressed the issue upon the French regulator’s notice. It will also conduct further investigations on the said issue.
Moity also said, “We use elastic to deliver public information on videos, members, activities quickly on our website and in the apps. However, we’ve taken the situation seriously as it should have asked for a 3rd-party security auditor to make a deeper analysis and report.”
With individuals staying at home due to the pandemic, Rotem and Locar warn Kinomap and other similar apps of vulnerability from attackers who seek to exploit personal data of users.