InfoSecBulletin Cybersecurity for mankind
Security researcher Jeremiah Fowler discovered a database containing sensitive information from gym customers and staff, including names, financial details, and possible phone call, left unencrypted and unprotected. Jeremiah Fowler claims he discovered the wide-open AWS repository managed by HelloGym in late July.
The database was open for a week, and Fowler noted that identifying who managed the audio call repository required some effort.
Microsft warns of active directory and office vulnarabilty
(CVE-2025-10159)
Sophos Addressed Critical Auth Bypass flaw in Wireless Access Points
1.6M fitness phone call recordings exposed online
Microsoft September Patch Tuesday 2025 fixes 81 flaws, two zero-days
Elastic Security Incident : Hackers Accessed Email Account Contains Valid Credentials
Hacker Exploit Amazon SES to Send 50K Phishing Emails
SafePay Ransomware
SafePay Ransomware Attacks 73 Orgs in a Single Month
Bangladesh Cyber Threat Landscape- 2024
602 Vuln exploited: Afftected daily 905 IP In Bangladesh in 2024
AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack
ISC2 Aims to Bridge DFIR Skill Gap with New Certificate
“It was only after calling, asking individual gyms that mentioned their locations in the recording,” he told The Register. “I asked who they use to record their calls and one of the managers finally told me.”
HelloGym offers sales, marketing, phone-answering, and VoIP services for major gyms like Anytime Fitness, Snap Fitness, and UFC Gym. Their database includes 1.6 million audio files from various franchise locations of leading fitness brands in the US and Canada.
HelloGym declined to comment for this story, the register reported.
The MP3 audio recordings include people’s names, phone numbers, and reasons for the calls, like renewing or canceling memberships. They were collected between 2020 and 2025, based on file dates and timestamps. According to Fowler, the database was likely a storage repository for VoIP audio files intended for internal use only.
“A very large number of the recordings referenced payment and billing issues,” Fowler said. “Although I didn’t hear any credit card numbers in the audio, it shows that members were comfortable discussing payment information over the phone.”
Intercepting the call, pretending to be a gym employee, and tricking the member into sharing payment information or paying a fake fee – and then stealing their credit card or bank account details.
The audio files could be played in any web browser without requiring specialized software or a password to listen to them. Fowler advises using encryption to protect files from being easily readable if exposed. He also recommends penetration testing to find misconfigured or open storage systems.
Finally, he advises businesses to segment data that they are no longer using. “Far too often I see organizations storing years’ worth of records in a single database and not deleting old files,” Fowler said. “As a general rule, it is a good strategy to securely back up old data to limit the exposure in the event of a data incident.”
