Kinomap data breach exposes 42 million records

Millions of records belonging to users of a fitness technology app were exposed online for almost a month due to a misconfigured database, including a swathe of personal details.

Approximately 40GB worth of information belonging to users of Kinomap, a service that creates immersive workout videos for people on rowing and cycling machines as well as treadmills, was discovered by security researchers in March.

This enormous amount of data amounted to 42 million records and affected the platform’s entire user base, including people from a number of countries across the UK, Europe and the US. The data was discovered by researchers at vpnMentor as part of a web-mapping project on 16 March, with the public access to the database closed on 12 April.

The data exposed included full names, email addresses, gender, timestamps for exercises, the date users joined Kinomap, as well as a great deal of personal data revealed indirectly.

Many of the entries linked to user profiles and records of account activity which, in a similar way to social media profiles, could reveal a lot about individuals.

Should hackers have discovered the database, they could have combined the information in numerous ways, by devising fraud schemes and other forms of online attack against victims. They could also have taken over user accounts on Kinomap.

Many of the exposed entries, for instance, included access keys for Kinomap’s API, which cyber criminals could have used to gain full access to a user account, and lock users out.

“By not having more robust data security in place, Kinomap made its users vulnerable to a wide range of frauds,” said vpnMentor’s team, which was led by security experts Noam Rotem and Ran Locar.

RELATED RESOURCE

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

FREE DOWNLOAD

“With millions of people across the globe now under quarantine at home due the Coronavirus pandemic, the impact of a leak like this grows exponentially. Unable to access their usual forms of exercise, many people will be turning to apps like Kinomap to stay fit and upbeat during the crisis.

“Hackers will be aware of this and looking for opportunities to exploit the increased user numbers on apps without adequate data security in place. However, Kinomap itself was also vulnerable. A data leak of this nature could seriously endanger the health and finances of the company.”

The researchers have suggested that Kinomap may face several repercussions as a result of the breach, including an investigation conducted by data protection authorities over potential GDPR violations.

Kinomap could have easily avoided this leak if it had taken basic security measures to protect the database, including securing its servers, implementing proper access rules and not leaving a system that didn’t require authentication open.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.