Watch Your Steps – 61 Million Records Exposed Including Geo Locations of Apple and FitBit Users

Apple and FitBit records exposed

When it comes to data breaches, most people wouldn’t think that the number of steps they took that day or the number of hours they sleep on average per night would be of any interest to cyber criminals. 

Social security numbers, credit card numbers, and passwords are usually red flags for any victim – a tell-tale sign of how severe the data breach truly is, and the extent to which an individual has to take additional security measures and possibly reinvent their identity to protect themself for the foreseeable future. 

But all data is valuable, because together, they provide insight into a person’s daily routine – their travel, sleep, and exercise patterns – all of which can lead to more targeted, escalated attacks such as fraud or extortion if used in combination with other parts of their identity. 

On June 30, 2021, cybersecurity researchers at WebsitePlanet discovered an unsecured database that contained over 61 million records of Apple and Fitbit users. 

According to researchers, this database was not password protected, and belonged to GetHealth, a mobile app that allows users to access their health and wellness data from hundreds of fitness trackers, medical devices, and other apps on a single platform.

Though it’s unclear how long the database was exposed for or who else had access to the data, the lack of this basic security measure exposed the names, date of births, and other key defining features like weight, height, gender, and geolocations of many users.

This information makes it easy for malicious attackers to not only identify the individuals by their appearances, but to also pinpoint the exact locations of where they live and the routes they travel to and fro when exercising. All together, a perfect recipe for a parent’s worst fear – kidnapping. 

Misconfigurations, such as the case when a database is left non-password protected, allow attackers to easily access and exfiltrate sensitive data. And with more mobile apps and wearable devices on the rise to improve consumer health, user data is more at stake than ever.

It’s critical for all organizations to regularly scan for misconfigurations in their environment, especially those where databases are open to the public or are unencrypted. These errors, though costly, can easily be avoided. To learn how to detect and correct misconfigurations, visit


Tu Phan