A Security Breach of Epic Proportions: Gym Customers’ Sensitive Info at Risk

A staggering 1.6 million audio recordings of phone calls made by fitness enthusiasts and staff have been left exposed online, leaving sensitive information vulnerable to cyber threats. The recordings, stored as MP3s, contain personal details such as names, phone numbers, and reasons for the calls, including payment and billing issues. The database, managed by HelloGym, was left unencrypted and non-password protected, allowing anyone with access to listen to the recordings without specialized software.

According to security researcher Jeremiah Fowler, who discovered the breach, the database was likely a storage repository for VoIP audio files intended for internal use only. However, the recordings could have been intercepted by criminals, allowing them to perform an adversary-in-the-middle attack, where they pose as an employee and ask for payment information or a phony cancellation fee. The potential for identity theft and deepfake videos or audio recordings is also a concern, given the rise of AI tools that can clone a human voice with just three seconds of audio.

Fowler warned that the breach is a “real potential risk” and that social media accounts can provide valuable information that could be used to target individuals. He emphasized the importance of using encryption, performing penetration testing, and segmenting data that is no longer in use to prevent similar breaches in the future.

The HelloGym database contained recordings from a number of franchise locations of top gyms, including Anytime Fitness, Snap Fitness, and UFC Gym. The audio files were collected between 2020 and 2025 and mentioned people’s names, phone numbers, and reasons for the calls. Some of the recordings also contained gym employees calling the corporate headquarters or client services department and providing their own names, gym number, and personal passwords to verify themselves before requesting account changes for members.

In some instances, the calls included gym employees sharing personal passwords and verification details, which could have been exploited by malicious actors to impersonate staff in a social engineering attack. Fowler highlighted that this type of breach is not just a hypothetical scenario, but a real and present danger as cybercriminals continue to evolve their tactics.

The exposure of such a vast amount of personal and financial information raises serious questions about the security practices of companies that handle sensitive customer data. It also underscores the need for stronger data protection measures, including the encryption of sensitive information and regular security audits to identify and address vulnerabilities.

HelloGym has not publicly commented on the breach, but the incident serves as a stark reminder of the importance of data security in an era where cyber threats are becoming increasingly sophisticated. As AI technologies advance, the risks associated with data breaches are likely to grow, making it more critical than ever for organizations to adopt robust security protocols to protect their customers and employees.