Gym Customer Data Exposed in Unsecured Database: Biometric and Personal Info at Risk

September 12, 2025

A security researcher uncovered a significant data breach involving sensitive information from hundreds of thousands of gym customers and staff, stored in an unencrypted, unprotected database. The breach highlights the dangers of poor data security practices in the fitness industry and beyond.

Discovery of Leaked Data

Jeremiah Fowler, a leaky database hunter, identified the unsecured AWS repository managed by HelloGym in late July. He shared his findings with The Register, revealing that the database remained accessible for about a week before being shut down.

Fowler discovered that the repository contained approximately 1.6 million MP3 audio files, including recordings from top gym chains like Anytime Fitness, Snap Fitness, and UFC Gym, across multiple US and Canadian locations. These recordings spanned from 2020 to 2025 and were intended for internal use to manage customer calls.

Contents of the Audio Files

The audio recordings included personal details such as:

Names
Phone numbers
Call reasons (e.g., membership cancellations or renewals)
Payment and billing issues

While no credit card details were heard, the conversations revealed members discussing sensitive financial information openly over the phone. In some instances, gym employees provided their own credentials and contact details for account verification, which may have been exploited by malicious actors.

Potential Security Threats

The exposed data presents multiple risks:

Identity Theft and Impersonation: Attackers could clone voices using AI tools like Microsoft’s VALL-E, which can synthesize human voices with only a few seconds of sample audio. This makes impersonating individuals in scams increasingly feasible.

Social Engineering Attacks: Criminals could call gym members, impersonating staff and requesting additional personal or financial information, enabling them to steal identities or funds.

Credential Exploitation: The recordings included staff providing usernames and passwords, which could be used to compromise organizational systems.

Interception and Man-in-the-Middle Attacks: Without encryption, attackers could eavesdrop on or intercept calls, manipulate conversations, or record sensitive data for malicious use.

The Role of AI and Deepfakes

As AI voice cloning advances, threats become more sophisticated. Open-source AI models like VALL-E threaten to facilitate voice-based impersonation, deepfake audio, and even fake videos. Such capabilities heighten the risk of financial fraud and corporate sabotage.

Fowler emphasized that collecting biometric and personally identifiable information (PII) in unsecured settings magnifies vulnerabilities, especially when combined with open-source AI technologies. This data, if exploited, can aid in convincing individuals of authenticity through familiar voices, thus increasing the success rate of social engineering scams.

Recommendations for Organizations

To mitigate such risks, experts advise:

Using Encryption: Protect stored data with encryption to prevent unauthorized reading if exposed.

Regular Penetration Testing: Identify and fix vulnerabilities in storage and access controls for cloud repositories.

Segmentation and Data Deletion: Avoid storing years of unnecessary data; regularly decommission old or unused files securely.

Educating Staff and Customers: Raise awareness about sharing sensitive information via calls and voicemails.

Final Thoughts

This incident underscores the importance of rigorous data security measures, especially when handling sensitive customer information and biometric data. Organizations must implement best practices to protect against accidental leaks and malicious exploitation in an increasingly AI-driven threat landscape.

Stay vigilant and prioritize data security to prevent similar breaches.