Total Fitness UK leak exposes 474K members' personal pics, some of kids

UK’s Total Fitness health club chain has been leaking hundreds of thousands of personal images and private data from a non-password-protected membership database.

The leak, first discovered by cybersecurity researcher Jeremiah Fowler at vpnMentor, found 474,651 images leaking from the Total Fitness database, some of them said to also include personally identifiable information (PII).

The large swath of images contained “personal screenshots as well as profile pictures of members and their children," Fowler reported on Monday.

Established in 1993, the Total Fitness UK chain owns and operates 15 health clubs across Northern England and Wales, two fitness apps, and has over 100,000 members and 600 employees, according to its website. Employee images were also part of the 47.7 GB data leak.

Total Fitness UK Wilmslow
Total Fitness health club chain suffers data leak. One of 15 locations, the Wilmslow, Cheshire club is considered one of the largest fitness clubs in Europe. Image by Total Fitness

The trove of images – many described as close up facial images taken by staff and used for gym profile pictures – also appeared to contain personal pictures, including of their own children, uploaded by the members themselves.

Passports, credit cards, and utility bills were listed as some of the confidential documents seen exposed by the researcher.

Moreover, Fowler was able to easily identify who the members were by using an “open-source reverse image search tool” that scoured the internet matching the leaked images to members' names and even more personal data in some cases.

One of the images was even linked to a gym member’s OnlyFans page, something most would not want publicly disclosed, leaving that member vulnerable to phishing attacks and extortion.

According to the report, Total Fitness was immediately notified of the leak, and the database was closed a week later, although it's unknown how long the database was left open without password protection, or if it had been previously accessed by any threat actors.

Total Fitness UK app
Total Fitness UK app on Google Play. Image by Cybernews.

It’s also not clear if there was other health related data exposed in the leak, and how many images may have belonged to former gym members.

“We are a members-only club and as part of our joining and access control processes, we ask our members to provide a photo of themselves. This protects their membership from being used by someone else and helps us to identify members should we need to locate them in one of our facilities,” Total Fitness said in its response to the responsible disclosure.

“We are communicating to all members whose images we have identified, and such images have been removed. We have also notified the ICO and will work with them on any enquiries they have on the matter,” the health club said.

The research also could not determine if the images came from the Total Fitness apps or its website portal, Fowler said.

On its website, Total Fitness states its apps are available for both Apple and Android OS and allow users to manage their membership, including profile details, payments, and access to digital workouts and personal trainers.

Cybernews has reached out to Total Fitness and is awaiting a response.

In January, Cybernews revealed the data of 151 million My Fitness Pal app users was exposed as part of a recent compilation of past breaches totaling over 26 million records, dubbed the ‘Mother of all Breaches.

Also in January, a Cybernews report exposed which health and fitness apps collect the most data on its users and then share that data with third parties.