Researchers from CyberNews discovered an exposed pool of data that belongs to Mariana Tek, a US-based fitness management platform. The data is contained in unsecured CSV files with more than 1.5 million user records – usernames, full names, residential and email addresses, phone numbers, account balances, etc.
The CSV files were stored on Amazon Web Services and accessible by anyone with the right URL to the files.
The Mariana Tek data exposed was comprised of 36,951 files, including 633 CSV files containing 1,522,740 user records dating as far back as 2019. These users had previously signed up for fitness and wellness activities like spa through Mariana Tek’s clients using Mariana Tek API.
I addition to user records, thousands of profile pictures of users, business owners, fitness and wellness trainers were exposed as well.
At this time, it is unknown whether anyone has accessed or stolen the unsecured Mariana Tek data.
The files stored on the exposed AWS server did not contain very sensitive data like passwords, personal documents, or IDs. However, even this data can be enough for phishers and scammers to carry out targeted attacks by sending spam emails or text messages. Or criminals could combine Mariana Tek’s data with more data from other cyber breaches to perform identity theft.
The CyberNews team immediately reached out to the company and Amazon and alerted them about the exposed data. According to Kevin Kanji, Chief Security Officer at Transaction Services Group – the parent company of Mariana Tek, the fitness company “acted immediately to investigate the matters reported” and promptly disabled access to the files that stored the personal information of Mariana Tek users.”
“We take information security very seriously and want to thank both CyberNews and AWS for bringing this matter to our attention,” Kanji told CyberNews.
On February 12, Mariana Tek secured the sensitive files and they are no longer publicly accessible.