[German]French provider Kinomap suffers a data leak, where an unprotected database contained about 42 million records (40 GB) of user data was reachable unprotected on the Internet.
Kinomap was founded in France in 2002 and today has an international user base in over 80 countries. The company creates immersive (VR) training videos for people who train on rowing machines, bicycle ergometers and treadmills.
The videos are real footage of popular running, cycling and rowing tracks around the world, uploaded by Kinomap users and professional trainers. Kinomap also offers training videos that resemble a training that people would do with a personal trainer.
All videos are interactive and combined with the mobile Kinomap app. Users can create structured, dynamic home workouts that mimic real outdoor environments in countries around the world.
Data collection app and data leakage
There is one app each for Android and for iOS, with the basic offer being free. However, there is a paid subscription. As a subscription service with costs, Kinomap collects enormous amounts of data about its users, all of which are stored in an unsecured database. In total, the database leaked more than 42 million records, affecting people all over the world.
Security researchers of vpnMentor came across this unsecured database of user data on March 16, 2020 while searching the Internet. The provider had to be contacted several times until the database was removed from the net around April 12, 2020. The following customer data could be retrieved from the open database of Kinomap:
- Full names
- Home country
- Email addresses
- Usernames for Kinomap accounts
- Timestamps for exercises
- The date they joined Kinomap
(Kinomap-Dataleak, Souce: vpnMentor)
It seems that the database affects the entire Kinomap user base, as the data came from countries all over the world. Here is a list of some countries:
- The USA
- South Korea
Among the millions of data files that were exposed were numerous PII (Personally Identifiable Information) data of Kinomap users. This type of information, if in the wrong hands, can be used for online fraud and phishing attacks. Details about the data leak can be read in this blog post.
Cookies helps to fund this blog: Cookie settings