A data leak has recently impacted Hello Gym, a technology services company based in Minnesota that works with the fitness industry. A cybersecurity researcher from Website Planet, Jeremiah Fowler, discovered a database containing a large number of audio files that were not protected by a password. This database contained voicemails and phone recordings from 2020 to 2025.
Fowler’s investigation revealed that the database held over 1.6 million files. These files included Personally Identifiable Information (PII) like customer names, phone numbers, and the reason for their call to the gym. The information was stored in an unprotected area, allowing anyone with the right technical knowledge to access it without a password. The exposed records belonged to numerous gyms across the US and Canada, many of which are independent franchises that use a third-party service like Hello Gym for their technology needs.
Within hours of the researcher’s disclosure, the database was secured. However, it’s unclear how long the data was exposed or whether anyone else gained access to the information. This incident is a serious security concern because of the nature of the exposed data. In today’s digital world, audio recordings, particularly those containing a person’s voice, are highly valuable to cybercriminals. This type of information is often used for social engineering attacks or identity theft.
For example, a scammer could use the specific details from a voicemail to build trust and trick someone into giving away more private information. They could even impersonate gym staff members and convince people to share sensitive payment information or other private data. Beyond this, voice data can also be used to create deepfakes, which are convincing but false recordings used to impersonate individuals for scams or financial crimes.
While the quick securing of the database is a positive step, the exposure of such sensitive data highlights the critical need for all companies to be vigilant in protecting their customers’ information. This event serves as a reminder that all businesses, no matter their size, must prioritize cybersecurity to prevent these kinds of incidents and protect their customers.
Reference:
