Gym bros exposed by Hello Gym phone service: 1.6 million audio recordings leaked

Published: 12 September 2025
Last updated: 12 September 2025
Hello Gym
Image by Cybernews.

No encryption, no password – a giant stash with over 1.6 million calls and voicemails, including gym members’ names, phone numbers, and other sensitive information, was found to be publicly exposed.

The affected data involves several major gym brands in the US and Canada, according to the cybersecurity researcher Jeremiah Fowler, who discovered and reported the breach to Website Planet.

The massive dataset contains 1,605,345 audio recordings in .mp3 format, collected between 2020 and 2025. It appeared in “a storage repository” and was seemingly managed by Hello Gym, a third-party contractor.

ADVERTISEMENT

“In a limited sampling of the exposed files, I heard audio recordings that mentioned PII (such as names and phone numbers) and the reason for the call,” Fowler said.

Multiple major franchisees and one corporate representative acknowledged the issue to the researcher.

vilius jurgita Gintaras Radauskas justinasv
Stay informed and get our latest stories on Google News
Google News Follow us

The data breach raises serious concerns because sensitive data is included in the reasons for calling, such as billing issues, membership renewals, payment updates, and others. This data can be used for highly targeted spear-phishing and social engineering attacks, leading to identity theft, impersonations, or financial crimes.

“Scammers could hypothetically impersonate a gym staff member and call a client using the information from the voicemail, asking them to provide updated credit or debit card details or pay a fraudulent cancellation fee,” the researcher warns.

Fowler believes that such a massive data set could also be abused by criminals to train deepfake voice agents.

The researcher disclosed the leak to Hello Gym, and the database was secured “within hours.” However, it’s unknown for how long the personal data was exposed to all the outsiders.

Has my data been leaked?
Check Now
ADVERTISEMENT

Hello Gym is a Minnesota-based communication and lead management platform, catering specifically to the fitness industry.

This incident prompts an obvious recommendation for businesses: use encryption. Fowler’s report urges companies to limit access to data, segment data not in use, delete old files, conduct vulnerability testing, and carefully evaluate vendors’ security practices.

The conversation on this topic is live. Join in the discussion.

Gymgoers should be aware that attackers may have access to their calls and be prepared for any potential social engineering attempts.

To stay safe, keep your ABS (always be skeptical) brakes in check: even if a caller sounds familiar, always validate their identity and don’t share sensitive financial and other details over the phone. Check out the FTC’s guidelines on how to avoid and report scams.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT