"Mariana Tek," an American fitness studio management platform that helps millions of customers book their sessions on fitness clubs, had a security breach incident that exposed 1,522,740 million user records. The platform left an Amazon Web Services bucket exposed online without setting a password, so anyone with a web browser could have accessed it.
The 633 CSV files containing the records were discovered and scrutinized by the team of researchers at CyberNews, which immediately notified the owner. Mariana Tek eventually secured the bucket on February 12, 2021.
Of the 1.5 million records, 850,831 were unique, so this is the number of people (clients, business owners, trainers) who were exposed as a result of this incident. The data includes the following details:
The implications of having the above details exposed range from spamming and scamming to phishing attacks. Since financial details and passwords aren’t there, the only thing that the exposed individuals need to be careful with is incoming communications, be it emails or SMS, or even phone calls.
While the data was secured almost immediately, the date of the first exposure is unknown, so the bucket may have been accessible for quite some time. Considering that hackers only need a few hours to discover and exfiltrate data on unprotected servers, you should consider the records exposed. CyberNews has added the dataset on its leak checker, so you may check yourself there and figure out if you have been compromised.
If you own a company that uses the Mariana Tek API, contact them and ask for details. Also, inform your customers that they have been potentially exposed, as this is very important in helping them stay safe. You may also want to reset all user passwords as a precaution. If you are a spa or fitness club customer, contact the place and ask if the app you’re using relies on the Mariana Tek platform.