Slip-up by popular fitness app exposes health and contact details of millions

A fitness app with over five million users has leaked sensitive data, including phone numbers, email addresses, and weight, among other records.

We constantly provide health and fitness apps with sensitive data, including our measurements, menstruation cycles, mental health issues, medication schedules, symptoms, and more. So, it’s reasonable for us to expect that this most personal data is kept safe.

Unfortunately, security researchers have repeatedly proved this is not always the case. Quite often, these apps share sensitive data with third parties for profit, exposing users to targeted advertising and security risks.

In some cases, sloppy cybersecurity hygiene puts us at risk. This time, our research team, determined to make the internet a safer place for everyone, discovered an unprotected dataset with a treasure trove of health-related data.

The dataset belongs to the users of Karafs, a popular health and fitness app in Iran, and Persian-speaking minorities elsewhere. Over five million people use the app to count calories, manage their diet, and simply help them to make healthier lifestyle choices.

The unprotected MongoDB dataset contained more than three million records, affecting the same number of individuals. The database is now protected. However, we can’t say for sure how long it was exposed.

What we do know is that threat actors could have discovered the exposed treasures in just a few seconds. Therefore, we contacted the company to see whether they had informed affected individuals and what measures were taken to prevent similar incidents in the future. We didn’t receive a reply before publishing this article.

Cybernews researchers assess that the issue was caused by a security misconfiguration, resulting in unauthorized public access to sensitive user information.

The exposed user data included:

  • Names
  • Phone numbers
  • Email addresses
  • Date of birth
  • Height
  • Weight
  • Records of diseases
  • Allergy information
Karafs data exposure

“Iran's unique internet landscape, with its stringent regulations and controlled access, adds an exotic dimension to this data breach. Applications like Karafs play a critical role in providing valuable services within this restricted environment, making the protection of user data even more crucial,” our researchers noted.

Such sensitive data puts users at risk of identity theft, fraud, and other malicious activities. Karafs users might also experience severe privacy violations and potential discrimination since their disease and allergy data were exposed.

“This data exposure highlights the critical importance of securing health and fitness applications, especially those handling sensitive personal and health-related information. While the database has been secured, the incident underscores the need for robust cybersecurity measures and vigilant data protection practices in the digital health industry to maintain user trust and ensure the privacy and security of sensitive information,” Cybernews researchers concluded.