The leaks, which were both repaired as of Monday, are believed to have left the personal information of Hzone and iFit users vulnerable since at least late November and last week, respectively, according to the cybersecurity blog DataBreaches.net, which first reported them.
These two leaks together affect far fewer people than another data breach affecting 13 million users of the software MacKeeper, a breach reported the same day and discovered by the same "white hat" security researcher Chris Vickery. But the health app leaks are significant because they contained, in some cases, unusually sensitive and personal information. They also underscore how many health apps do not have to comply with federal patient privacy laws — even if they collect personal information — if they do not share that information with doctors and others bound by those same privacy laws.
In the case of Hzone, such information included names, email addresses, birthdays, relationship statuses, number of children, sexual orientation, sexual experiences, and messages like this, according to DataBreaches.net: "Hi. I was diagnosed 3 years ago now. CD4 and Viral Load is relatively good. I’m therefore not on Meds yet. My 6-monthly blood tests are due in June. Planning to go in meds. I’m worried about the side effects. What kinds of side effect have you experienced? Xx.” As many as 5,000 users appeared in the breach.
Meanwhile, more than 567,000 users were exposed in a data breach involving iFit, an app that syncs with wearable devices and exercise equipment like NordicTrack and Reebok. iFit can collect information like passwords, weight, gender, addresses, credit card data, and workout data (like your heart rate and date and time of your workout).
Vickery told BuzzFeed News that he discovered the leaks by looking through Shodan, a search engine that indexes pretty much anything connected to the internet. After he found databases for iFit and Hzone and realized they shouldn't be public, he brought them to the attention of DataBreaches.net.
Both Vickery and DataBreaches.net, whose publisher goes by "Dissent," alerted Hzone's developers to the leak. DataBreaches.net reported that Hzone did not secure the leak for five days after it was contacted Dec. 8, nor did it immediately respond to their inquires. "The Hzone leak was particularly frustrating to both of us because although it was the smallest leak I reported, the data were so sensitive," Dissent told BuzzFeed News in an email. "We simply could not get a response from them despite using their contact form on their web site (both of us tried) and despite email to their support email address, which generated a receipt that it was opened."
Vickery told iFit about its leak by email on Dec. 10. The company claimed what he'd discovered was a years-old test database "with real data" and said it would be taken down; on Monday, Vickery was told the issue had been resolved.
On Wednesday, two days after DataBreaches.net reported the breaches, Hzone CEO Justin Robert told BuzzFeed News by e-mail that the leak had happened while the company was updating its servers. He wrote, "However, the breach was identified very swiftly, and strong security measures were put in place to secure the servers and databases immediately." He had not notified users yet; he said he planned to do so by posting an announcement on the website.
iFit did not respond to requests for comment on the breaches or its respective plan for notifying affected users.
This post was updated to include comments from Hzone's CEO.
Stephanie M. Lee is a science reporter for BuzzFeed News and is based in San Francisco.
Contact Stephanie M. Lee at firstname.lastname@example.org.
Got a confidential tip? Submit it here.