Fitness studio management platform Mariana Tek exposed 1.5+ million user records

“Appropriate remedial action had been taken” by the company following the closure of the leak.

We have recently discovered an exposed data bucket that belongs to Mariana Tek, a US-based software company. The unsecured bucket contained more than 1.5 million user records, including usernames, full names, street and email addresses, phone numbers, postal codes, account balances, and more.

The CSV files that contained the records were stored on an Amazon Web Services server that was publicly accessible. This means that anyone with a direct URL to the files, including bad actors, could have accessed the data that was left out in the open.

On February 12, the sensitive files in the Mariana Tek app bucket were secured by the company and are no longer publicly accessible.

To see if any of your online accounts were exposed in this or other security breaches, use our personal data leak checker with a library of 15+ billion breached accounts.

What data was exposed?

The exposed Mariana Tek bucket contained 36,951 files, including 633 CSV files containing 1,522,740 records of users who signed up for fitness and wellness activities with businesses that use the Mariana Tek API. Of those records, 850,831 were unique.

Most of the CSV files contained user records for who we assume are users who subscribed to fitness, wellness, spa, and other services offered by fitness companies who are Mariana Tek clients.

The data included full names, genders, birth dates, locations, and street addresses, phone numbers, emails, account balances, and other information, depending on the fitness or wellness service that the users were subscribed to.

Aside from the user records, the bucket also contained thousands of profile pictures that appear to belong to users and business owners, such as fitness and wellness trainers.

Who is the company behind the leak?

Mariana Tek is a software company based in Washington, DC that offers a digital platform for fitness companies to manage their business, including class scheduling, fitness studio management, marketing, e-commerce processing, and product customization. The company is part of Transaction Services Group.

Who had access to the data?

At this time, it is unclear if any bad actors have accessed the unsecured Mariana Tek data bucket and downloaded the files containing user records. That being said, the CSV files from the bucket contained user records dating as far back as 2019.

The files were stored on a publicly accessible Amazon S3 bucket managed by Mariana Tek. Accessing and downloading files hosted on public Amazon servers requires very little technical knowledge, which means that there’s a chance that the CSV stored in this bucket may have been accessed by bad actors for malicious purposes.

What’s the impact of the leak?

Fortunately, the files stored in the exposed Mariana Tek bucket did not contain any deeply sensitive data like personal documents, passwords, or IDs. However, even this data can be enough for bad actors to engage in a variety of malicious activities against exposed users:

• Contact details like full names, phone numbers, and email addresses can be used by phishers and scammers to carry out targeted attacks against the exposed users by sending them malicious spam emails and fraudulent text messages.
• Particularly determined criminals can combine the data found in the Mariana Tek bucket with other cyber breaches and build detailed profiles of potential targets for identity theft.

What happened to the data?

We discovered the Mariana Tek bucket on February 12 and immediately reached out to the company and Amazon in order to help secure the sensitive data.

According to Kevin Kanji, Chief Security Officer at Transaction Services Group, the company “acted immediately to investigate the matters reported” and promptly disabled access to the files that stored the personal information of Mariana Tek users.

“We take information security very seriously and want to thank both CyberNews and AWS for bringing this matter to our attention,” Kanji told CyberNews.

What to do if you’ve been affected by the leak?

If you have an account with a fitness company that uses the Mariana Tek API, it’s likely that your information may have been exposed in this breach. To secure your data and avoid potential harm from threat actors, we recommend doing the following:

• Use our personal data leak checker to see if your data has been leaked in this or other breaches.
• Change your email password (you can easily generate complex passwords with our strong password generator) and consider using a password manager.
• Enable two-factor authentication (2FA) on your email and other online accounts.
• Watch out for incoming spam emails, unsolicited texts, and phishing messages. Don’t click on anything that seems suspicious, including emails and texts from senders you don’t recognize.