Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a data breach belonging to the exercise technology company Kinomap. As a paid subscription service, Kinomap collects enormous amounts of data about its users, all of which was stored on an unsecured database. In total, the database was leaking over 42 million records, affecting people all over the world.
The researchers reached out to the company and presented the results of their investigation. While awaiting reply from Kinomap, they also contacted the Commission nationale de l’informatique et des libertés, France’s independent data privacy regulator. While they never received a reply from Kinomap, the data breach was closed sometime around the 12th of April. They suspect this was due to an intervention by the CNIL.
The exposed database contained over 40GB of data, approximately 42,000,000 records. It also seemed to affect Kinomap’s entire user base, as the data originated from countries across the globe, say the researchers, including the following:
- South Korea
Among the millions of data files exposed were numerous forms of Kinomap user Personally Identifiable Information (PII) data:
- Full names
- Home country
- Email addresses
- Usernames for Kinomap accounts
- Timestamps for exercises
- The date they joined Kinomap
Many of the entries, notes the blog, contained links to Kinomap user profiles and records of their account activity, which can reveal personal details about a user.
If a malicious hacker had discovered this database, they could easily combine the information contained within in numerous ways, creating highly effective and damaging fraud schemes and other forms of online attack, warn the researchers. Or, add the researchers, they could also potentially take over certain user accounts on Kinomap, using information contained within the database.
For the full blog and more findings, visit the vpnMentor blog.
*All images courtesy of vpnMentor.