Kinomap data breach exposes 42 million records

40GB of exposed data includes users' names and personal details

Millions of records belonging to users of a fitness technology app were exposed online for almost a month due to a misconfigured database, including a swathe of personal details.

Approximately 40GB worth of information belonging to users of Kinomap, a service that creates immersive workout videos for people on rowing and cycling machines as well as treadmills, was discovered by security researchers in March.

This enormous amount of data amounted to 42 million records and affected the platform’s entire user base, including people from a number of countries across the UK, Europe and the US. The data was discovered by researchers at vpnMentor as part of a web-mapping project on 16 March, with the public access to the database closed on 12 April. 

The data exposed included full names, email addresses, gender, timestamps for exercises, the date users joined Kinomap, as well as a great deal of personal data revealed indirectly. 

Many of the entries linked to user profiles and records of account activity which, in a similar way to social media profiles, could reveal a lot about individuals.

Should hackers have discovered the database, they could have combined the information in numerous ways, by devising fraud schemes and other forms of online attack against victims. They could also have taken over user accounts on Kinomap. 

Many of the exposed entries, for instance, included access keys for Kinomap’s API, which cyber criminals could have used to gain full access to a user account, and lock users out.

“By not having more robust data security in place, Kinomap made its users vulnerable to a wide range of frauds,” said vpnMentor’s team, which was led by security experts Noam Rotem and Ran Locar.

Related Resource

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

Download now

“With millions of people across the globe now under quarantine at home due the Coronavirus pandemic, the impact of a leak like this grows exponentially. Unable to access their usual forms of exercise, many people will be turning to apps like Kinomap to stay fit and upbeat during the crisis.

“Hackers will be aware of this and looking for opportunities to exploit the increased user numbers on apps without adequate data security in place. However, Kinomap itself was also vulnerable. A data leak of this nature could seriously endanger the health and finances of the company.”

The researchers have suggested that Kinomap may face several repercussions as a result of the breach, including an investigation conducted by data protection authorities over potential GDPR violations

Kinomap could have easily avoided this leak if it had taken basic security measures to protect the database, including securing its servers, implementing proper access rules and not leaving a system that didn’t require authentication open.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021