Fitness company data leak affects 99,000 customers, trainers — what to do

fitness centre
(Image credit: Shutterstock)

The personally identifiable information of more than 99,000 customers of Las Vegas-based diet-supplement and exercise-program company V Shred may have been left exposed online due to an insecure database.

V Shred describes itself as a fast-growing "fitness, nutrition and supplement brand" with tens of thousands of customers in 119 countries and 12 million unique website visitors.

But researchers at VPNMentor said they had found an unsecured Amazon Web Services "bucket" that held 1.3 million personal files and 606GB of data in total.

“By not protecting these files, V Shred compromised the privacy and security of its customers and left them exposed to bullying, fraud, and more,” wrote the researchers in a blog post yesterday (July 2). 

The unprotected AWS bucket, found by the researchers May 14, consisted mainly of three large comma-separated-values files, which are simple databases that can be easily opened by Microsoft Excel or other spreadsheet programs.

But the bucket also contained profile photos, "before and after body photos" of customers -- some "very revealing" -- and information about meal plans.

According to the researchers, the unsecured photos and documents “contained various pieces of personally identifiable information (PII) data that revealed sensitive information about the people exposed.”

Tom's Guide has reached out to V Shred's parent company, Sculpt Nation, for comment. We will update this story when we receive a reply.

Putting thousands at risk

The three CSV files contained the personal information from tens of thousands of individuals from across the world. 

Each file had a different purpose. One contained 96,000 entries from a sales-lead-generation list; the second contained 3,522 entries from an email-address list; and the third contained the personal information of 52 trainers who worked for or with the company.

The researchers warned that the “CSV files presented a much greater immediate risk” due to the fact that they “contained huge amounts of PII data for each individual listed".

VPNMentor said the CSV files included information like full names, home addresses, emails, phone numbers, birthdays, Social Security numbers, spouse names, social media accounts, username and passwords, gender, health conditions, age, citizenship and more.

The report didn't say whether the passwords were "hashed," or protected by one-way encryption, in any way. Because of that lack of information, it's probably best to assume the worst, so if you have a V Shred account, change its password now. (And use one of the best password managers to create and handle it.)

The Social Security numbers presumably belonged to the 52 trainers, as U.S. companies normally collect such data only from employees or contractors. But if you're one of those people, best to sign up with one of the best identity-theft-protection services now.

Lack of action

The researchers contacted V Shred and AWS to alert them of the breach in May, but V Shred took a month to remove the files containing personal information from the AWS bucket. 

The fitness firm told VPNMentor that it "would be leaving all other files publicly accessible" because V Shred customers needed to be able to access their meal plans, workout instructions and before-and-after photos.

Charlie Osborne at ZDNet had a look at the data that was still accessible and confirmed that it included "company materials ... diet guides, workout plans, and user photos."

In terms of the impact of this breach, VPNMentor warned that “malicious hackers and cybercriminals could create very effective phishing campaigns targeting V Shred customers”.

That's true, but only if malicious hackers were to get access to the exposed information. There's no indication that anyone other than VPNMentor did before the files were secured, which is why we're not calling this a data breach.

However, plenty of people are indeed snooping around the internet trying to find unsecured AWS buckets.

VPNMentor's report added: “V Shred is a young company and appears to be run by a small team. However, it’s still responsible for protecting the people using its products and signing up for its services.

“By not doing so, V Shred has jeopardized the privacy and security of the people exposed, and the future of the company itself.”

  • More: Protect your employees and clients with the best business VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!