FitMetrix Leaks User Information

Discussion in '[H]ard|OCP Front Page News' started by AlphaAtlas, Oct 11, 2018.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,055
    Joined:
    Mar 3, 2018
    Another day, another massive user data leak, this time from FitMetrix. The fitness company, which makes software for institutions like Crossfit and SoulCycle, reportedly hosted user data on AWS instances, but forgot to use a password to secure that data. Security researcher Bob Diachenko claims the database contained 113.5 million records, with each record containing some combination of a "user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more." The server was still open and vulnerable when Bob and TechCrunch posted their articles.

    "We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed," said Jason Loomis, Mindbody’s chief information security officer. "We took immediate steps to close this vulnerability," he added. "Current indications are that this data included a subset of the consumers managed by FitMetrix, which was acquired by Mindbody in February 2018, and did not include any login credentials, passwords, credit card information or personal health information," he said. Diachenko rebuffed Mindbody’s claim, saying that there was "some" health information in the data, based on his analysis of the data. TechCrunch also found several records including height, weight and shoe sizes. When asked to clarify, Mindbody spokesperson Jennifer Saxon would not comment further.
     
  2. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,349
    Joined:
    Aug 2, 2004
    I think it's time to stop allowing data to be collected anymore. It seems every day some company has a massive data leak, half the time due to someone not changing a password, or some other extremely basic IT blunder. Companies have proven time and again they cannot be trusted with this information. Where's the world superpower to keep this crap from happening anymore?
     
    BloodyIron and AceGoober like this.
  3. Nenu

    Nenu [H]ardened

    Messages:
    18,191
    Joined:
    Apr 28, 2007
    Failures at this level deserve jail time.
     
    BloodyIron, PaulP, F.E.A.R. and 2 others like this.
  4. lollerwaffle

    lollerwaffle Gawd

    Messages:
    623
    Joined:
    Feb 3, 2008
    Regulate, verify and fine.
    I know the government isn't always the answer, and government itself has lost data in preventable leaks. However, government can enforce. ISO standards for all this shit exist. Businesses need to pay up for a license to store private information, like a liquor license but more available and cheaper, and pony up for the infrastructure to support those, or utilize a service that is properly certified.

    Then all this shit can get audited, like we do with business and financial practices. But then the outcry would be that the big bad gubbernment is stifling innovation with exorbitant fees and costs.
     
  5. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,349
    Joined:
    Aug 2, 2004
    Newp, I don't want licensing and fines, because the leaks will still occur when the companies decide the fine is less than the costs of properly securing their data and the benefits they get from possessing this data. I want a government entity that obliterates companies that collect data like this, it simply cannot be allowed anymore. What does obliteration mean in this context? I don't know, but it needs to be something way way way worse than fines.
     
  6. Darunion

    Darunion Chin Poon Specialist

    Messages:
    3,331
    Joined:
    Oct 6, 2010
    I agree sadly. And with all these startups that begin with very little investment into their infrastructure trying to be the next big thing, it is becoming more and more common. The amount of crap we deal with at work for consumer electronics crap with the FCC and the like for voltage potential risks, or spurious emissions, or if they find pvc insulation on a wire blah blah blah. Why is there not some level of control for this? I guess it comes down to who would make money on such a system put in place?

    Also I am tired of every single thing you do needs an account and login for things. Why must I make an account to buy something? How about we make our exchange and go our ways instead lol. Make money on the transaction, not my information.
     
    AceGoober likes this.
  7. lollerwaffle

    lollerwaffle Gawd

    Messages:
    623
    Joined:
    Feb 3, 2008
    Make the fines scale appropriately so that it *can not* be cheaper to just take the fine. It's doable, really.
     
    AceGoober likes this.
  8. Tawnos

    Tawnos 2[H]4U

    Messages:
    3,801
    Joined:
    Sep 9, 2001
    How would you log onto websites, store data that is submitted to forums, send emails, etc? All of that counts as collected data and seems quite fundamental for the functioning of the web.
     
  9. jojo69

    jojo69 [H]ardForum Junkie

    Messages:
    10,500
    Joined:
    Sep 13, 2009

    works awesome with the banks...oh wait
     
    Wrecked Em, Aioeyu and AceGoober like this.
  10. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,349
    Joined:
    Aug 2, 2004
    I think I was a little unclear. Things like phone numbers, names, credit card info, you know the personal stuff that if criminals get they can easily commit identify theft and fraud. Logging on to websites, email, etc can all be simply the username and password alone stored. Any financial information should exist in session only, and when the transaction is complete, wiped from the system. Next month or purchase date, it needs to be entered again. The convenience of not having to enter things in repeatedly isn't worth the hassle of dealing with the possible crime resulting in all your financial info being out there for the world to see.

    I would be in support of a fine / jail system for these kind of leaks, if I thought it would actually work. It will not, just like fines have not stopped any other numerous business practices that chock it up as the cost of doing business. With everyone storing their databases in the cloud now, it is no surprise noone thought of password protecting it. So, as I've been known to be a little extreme in my proposed solutions as it sometimes leads to reasonable suggestions, do you have something more sane? As far as I'm concerned, the acceptable number of leaks such as these should be zero, how do we approach (if not reach) that?
     
  11. RogueTadhg

    RogueTadhg [H]ard|Gawd

    Messages:
    1,459
    Joined:
    Dec 14, 2011
    At least it's not MMO-Champion. I just received an email yesturday that...
    "MMO-Champion recently learned that in 2010, there was an unauthorized access to a database containing information..."

    Back in 2010.
     
    xmadror likes this.
  12. WBurchnall

    WBurchnall 2[H]4U

    Messages:
    2,533
    Joined:
    Oct 10, 2009
    I can't wait to hear the guy responsible for this explain "No password" to his boss. "But sir, if there was a password, you'd have to remember it and so what I did was really for your benefit. Besides, we just started Agile programming and that wasn't part of our list of things to do."

    dt071126-768x241.gif
     
    dvsman, GoldenTiger and AceGoober like this.
  13. Tawnos

    Tawnos 2[H]4U

    Messages:
    3,801
    Joined:
    Sep 9, 2001
    Many of those are required to be collected and for payment transactions and some details stored for things like fraud protection, refunds, product recalls, etc.

    A key difficulty is educating those who think "data collection" means actively querying or acquiring that data not typed and provided by a customer, rather than its actual meaning of "data we store from or about you". That's not necessarily you, but I would be willing to bet a majority of people read a privacy statement saying "we collect _foo_" and interpret it as "we go into your system and get _foo_", ignoring user-submitted items. Developers may harm the user by making the same mistake when they are designing or writing a system that collects data. That hypothetical dev thinks they're not "collecting" anything because the data is manually input and submitted by the user, and that compounds when procedures don't encourage treating any data that's ever used in any fashion by their company as being worth protection.

    On the policy side:
    Some of the provisions of the GDPR could reasonably be enacted and enforced without dragging along the rest of its burden. For example the provision requiring mandatory disclosure within a specified time period after a data breach is detected. I'd also change the nature of the penalties to specify various tiers of data breach based on the scope of the data that was breached, where those impacted are automatically paid out a fixed amount based on those tiers and the government gets some percentage cut on top of that.

    On the technology side:
    This is an ongoing and evolving problem that (honestly) has gotten better over time, and I think there are areas we could still improve in our industry.

    For example, many code samples and project templates are far too narrow in scope and don't incorporate best practices. The default behavior for example/template code should be less reductionist/focused on showing off a specific feature as quickly as possible and more focused on showing how to properly set up that feature. For example, adding security or configuring database encryption are often steps that happen at the end of tutorials, as optional steps, or in a separate area entirely. Instead of demonstrating how to get a service running for development with an unencrypted connection, no auth, etc, those should be early steps so development is approached with a mentality that they should be on and it takes more effort to turn them off.

    Beyond that there are areas like developing the tools to allow developers an integrated way to do things like describing and validating expectations for data flow/usage, extending standards for web APIs to produce metadata that describes the kinds of data being collected by various calls, and many others.
     
    GoldenTiger likes this.
  14. PaulP

    PaulP Gawd

    Messages:
    711
    Joined:
    Oct 31, 2016
    If a company handled customer/client money/property this irresponsibly, people would go to jail.
     
  15. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,810
    Joined:
    Nov 15, 2016

    I can see it now.. The DB is being sorted using AI on how hot the womens profile photos are.. and then being contacted
     
  16. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,122
    Joined:
    Jul 11, 2005
    Hey look, another reason for on premises! I'll add this to my massive list...
     
  17. WBurchnall

    WBurchnall 2[H]4U

    Messages:
    2,533
    Joined:
    Oct 10, 2009
    Yes, my AI chat bot isn't working so well though. The attractive fit cross fit women don't seem to be attracted to my out shape, balding self. Who knew :p? I just need my chances to be better then one in 113.5 million though.