Kinomap data breach exposes 42 million records

40GB of exposed data includes users' names and personal details

Millions of records belonging to users of a fitness technology app were exposed online for almost a month due to a misconfigured database, including a swathe of personal details.

Approximately 40GB worth of information belonging to users of Kinomap, a service that creates immersive workout videos for people on rowing and cycling machines as well as treadmills, was discovered by security researchers in March.

This enormous amount of data amounted to 42 million records and affected the platform’s entire user base, including people from a number of countries across the UK, Europe and the US. The data was discovered by researchers at vpnMentor as part of a web-mapping project on 16 March, with the public access to the database closed on 12 April. 

The data exposed included full names, email addresses, gender, timestamps for exercises, the date users joined Kinomap, as well as a great deal of personal data revealed indirectly. 

Many of the entries linked to user profiles and records of account activity which, in a similar way to social media profiles, could reveal a lot about individuals.

Should hackers have discovered the database, they could have combined the information in numerous ways, by devising fraud schemes and other forms of online attack against victims. They could also have taken over user accounts on Kinomap. 

Many of the exposed entries, for instance, included access keys for Kinomap’s API, which cyber criminals could have used to gain full access to a user account, and lock users out.

“By not having more robust data security in place, Kinomap made its users vulnerable to a wide range of frauds,” said vpnMentor’s team, which was led by security experts Noam Rotem and Ran Locar.

Related Resource

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

Download now

“With millions of people across the globe now under quarantine at home due the Coronavirus pandemic, the impact of a leak like this grows exponentially. Unable to access their usual forms of exercise, many people will be turning to apps like Kinomap to stay fit and upbeat during the crisis.

“Hackers will be aware of this and looking for opportunities to exploit the increased user numbers on apps without adequate data security in place. However, Kinomap itself was also vulnerable. A data leak of this nature could seriously endanger the health and finances of the company.”

The researchers have suggested that Kinomap may face several repercussions as a result of the breach, including an investigation conducted by data protection authorities over potential GDPR violations

Kinomap could have easily avoided this leak if it had taken basic security measures to protect the database, including securing its servers, implementing proper access rules and not leaving a system that didn’t require authentication open.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?

What is Neuralink?

24 Oct 2020