Researchers discovered an unsecured GetHealth database with over 61 million fitness records in plain text, most detailing Fitbit and Apple HealthKit users.
Seven years after it was first announced, Apple's HealthKit is a key part in Apple Watch, iPhone, and — with the user's permission — also third party apps. Now one such third-party company has been found to be storing user data from HealthKit, Fitbit, and others, in an unsecured repository.
According to WebSitePlanet, its team and security researcher Jeremiah Fowler discovered a non-password protected database with 61,053,956 user records. The database owner, GetHealth, was informed and now reports that the database has been secured.
"In a limited sampling of 20k+ records some of the top wearable health and fitness trackers appeared as a Source," wrote Fowler in a report. "Fitbit (Purchased by Google for 2.1 Billion in 2021) appeared 2,766 times, instances of what appears to be Apple's Healthkit 17,764."
Much of the data included the users' names, date of birth, location, and more. All of it was in plain text.
"It is unclear how long these records were exposed or who else may have had access to the dataset," continued Fowler. "We are not implying any wrongdoing by Gethealth, their customers or partners."
"Nor, are we implying that any customer or user data was at risk," he wrote. "We were unable to determine the exact number of affected individuals before the database was restricted from public access."