FitMetrix exposed millions of customers' records in a passwordless database
On October 5th, a member of Hacken security team has been browsing through Shodan looking for exposed Elasticsearch instances which recently could become targets in another spread of ransomware campaigns.
For those of you who just started following our reports and is unfamiliar with basic terminology, we would explain Shodan as a 'Google-like' public search engine which helps you to discover the world of internet-connected devices (like webcams, routers, remote desktops) or cloud instances (like databases).
In turn, Elasticsearch is a database that stores, retrieves, and manages document-oriented and semi-structured data.
Prior to this search, almost a year ago, on Feb 20th 2018,: "MINDBODY, the leading technology platform for the wellness services industry, announced the acquisition of FitMetrix, the creator of performance tracking solutions designed to help wellness businesses increase retention, and provide wellness seekers with an engaging, more interactive fitness experience".
Somewhere in between these dates (possibly September), a FitMetrix-related Elasticsearch database with 119GB of data ended up being indexed by Shodan search and found by me on October 5th. No password of login was required to view the data.
There were two IPs, both with the identical set of data, open for public:
Moreover, it has been labeled by Shodan as 'compromised' meaning that database contains a 'Readme' file with a ransom demand note. Elasticsearch, as well as other popular non-SQL databases, were targeted by malicious actors for a long time now. First reports on those attacks published in Jan 2017.
Ransom note reads as follows:
"mail":"firstname.lastname@example.org","note":"14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3","btc":"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"}}]}}
It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note.
This script sometimes fails and the data is still available to the user even though a ransom note is created.
The database in question was structured to include daily FitMetrix platform audit data, starting from July 15th to Sept 19th 2018. Additionally, an API key was also visible.
The total count of records in 'platformaudit' indexes was 122,869,970.
The total count of records in 'fitmetrixaudit' index was 113,521,722.
We assume that not all of those records represent customer records. Part of the records relate to 'facility' description, but nevertheless the numbers are big. The following information in Profile records was exposed:
Some fields were left blank, but those marked with XXX were present in most of the records I have observed.
We have immediately sent several emails to FitMetrix and Mindbody to privately alert them on the exposed database, but as it often happens in these scenarios, the only response we had was an automatic message from a support domain with a promise to respond within one day and an indication that "all emails are saved and may be reviewed for quality assurance purposes".
Taking into account the size and sensitivity of data, we have decided to contact trusted journalists with whom we worked on several similar cases in the past, so they could reach out to the company via their 'media channels' and grab their attention.
Finally, after several notification attempts, Mindbody responded and database was secured on October 10th.
This article will be updated when we have more information from the company.
Director of Cyber Risk Research at Hacken. Email: email@example.com