Hello Gym Data Breach Exposes 1.6 Million Calls and Voicemails Online

Not all data exposures or breaches are malicious in nature. However, any exposure brings danger, especially when it comes to personally identifiable information.

Cybersecurity researchers love scouring the web for flaws, scams, or, in this case, non-password-protected databases.

A recent investigation by cybersecurity researcher Jeremiah Fowler, published on WebsitePlanet, revealed just this: a serious data exposure related to a communications and lead management platform serving gyms and fitness centers across the US and Canada called Hello Gym.

According to Fowler, the publicly facing database contained 1.6 million audio files (.mp3s) stored in a public database without encryption or password protection. Aside from the massive stash of MP3 files, the researcher discovered that the recordings contained both voicemail messages and internal phone calls with personally identifiable information (PII) such as names, phone numbers, details of the member’s inquiry, and even passwords used in employee authentication processes.

Although the incident was resolved (the database was secured) within hours of the disclosure, Fowler stressed the risks stemming from such a treasure trove of information left out in the open.

“There are numerous potential risks in the exposure of internal audio recordings of staff, clients, and prospective members,” the researcher noted. “The voicemails that I heard should not have been publicly accessible, as they often included personal details such as names, phone numbers, and the reasons for calling. These reasons were most commonly related to billing issues, payment information updates, or membership renewals.”

Additionally, it remains unclear how long the data had been exposed, or if malicious access occurred.

This breach illustrates multiple risks to both customers and staff. Scammers could impersonate gym staff and call members using details from the recordings, tricking them into handing over updated credit card information or paying a fake cancellation fee. Meanwhile, cybercriminals can cross-reference breached data to build complete victim profiles, targeting public figures or high-net-worth individuals.

Having audio recordings of their voices only amplifies the risk. Even more concerning, some recordings revealed employees disclosed personal passwords and gym IDs when requesting account changes, creating opportunities for fraudsters to impersonate staff. In another instance, a manager shared alarm credentials with a monitoring service –information that could, in the wrong hands, enable unauthorized physical access to gym facilities after hours.

Staying Safe, Long Term

When it comes to data breaches, consumers need to be proactive. Enter Bitdefender Digital Identity Protection, a powerful and user-friendly solution that provides a multi-layered approach with:

1. Real-Time Monitoring of YOUR Data Exposure

Bitdefender scans the open web and the dark web continuously for compromised emails, passwords, and other personal details. If your contact details or other exposed data are detected, you receive immediate alerts that allow you to act before damage occurs.

2. Comprehensive Visibility Into Your Digital Footprint

The service provides a Digital Footprint Visualization, helping you understand what of your personal data is publicly accessible. Additionally, your Identity Protection Score reflects your exposure level and provides guidance on enhancing your online safety.

3. Clear, Actionable Remediation Steps

Rather than just alerting you to breaches, Bitdefender offers guided next steps — whether that means changing passwords, updating authentication methods, or securing accounts.

4. Impersonation Detection

The platform can flag suspicious social media profiles that may be attempting to impersonate you — a particularly valuable feature given the Hello Gym scenario where voice and personal details were exposed.

5. Privacy-First and Easy to Use

No downloading of apps or sharing sensitive financial data is necessary. You set which email addresses and phone numbers to monitor, and the service does the rest.