An unprotected database containing private data of Town Sports’ employees and members was leaked on the internet.
A US-based fitness chain Town Sports International exposed personal records of over 600,000 employees and members on the internet due to a misconfigured database, reported Comparitech.
Town Sports is a chain of gyms, spas, and fitness clubs with branches across the northeast U.S. and has around 600,000 members. The company owns many brand names, including Around the Clock Fitness, My Sports Clubs, Total Woman, and Lucille Roberts.
According to Comparitech researchers, the database was neither password-protected nor required any other authentication process for granting access.
As a result, private data, including full names, billing histories, contact information, street address, email address, and limited payment information such as credit card expiration date and last four digits, were leaked online.
However, account passwords, full credit card numbers, and CVVs weren’t part of this database. The records were stored in an Amazon S3 bucket.
According to a blog post published by Comparitech, security researcher Bob Diachenko was tipped by cybersecurity expert Sami Toivonen regarding the exposed database on 21 Sep 2020. However, the exposed database was first discovered on the web at least eleven months back on 30 Nov 2019.
On 21 Sep 2020, Diachenko notified Town Sports and Techcrunch’s Zack Whittaker as part of the company’s responsible disclosure policy. Town Sports did acknowledge the database exposure and secured it by 22 Sep 2020 but didn’t respond to Diachenko’s notification as yet.
It isn’t clear yet whether any unauthorized party accessed the database while it was exposed. Hence, affected customers and employees must stay alert as scammers may try to exploit them.
“Our research indicates unsecured databases can be found, stolen, and attacked within just a few hours of exposure,” researchers noted.