HelloGym Data Breach
A researcher discovered an openly accessible, unencrypted storage bucket tied to Hello Gym—a Minnesota communications and lead-management vendor used by fitness franchises—containing 1,605,345 MP3 recordings of calls and voicemails from roughly 2020–2025. Spot checks revealed members’ names, phone numbers, and reasons for calling (often billing, payment updates, or renewals). Several major gym brands were referenced, but corporate teams said they don’t centrally record audio; rather, independent franchise locations were using a third-party solution. After responsible disclosure to Website Planet and outreach to one brand’s privacy team, the database was locked down within hours. The length of exposure and whether anyone else accessed the data remain unknown pending forensic review.
The content of the recordings raises serious risks: highly credible social-engineering and vishing attempts (e.g., impersonating staff to solicit card updates or fees), potential misuse of employee verification details and even alarm-disarm credentials heard in some calls, and biometric concerns since short clips can enable AI voice cloning. Beyond privacy harm to members and staff across the U.S. and Canada, the incident has regulatory implications: in the U.S., the FTC recognizes voice recordings as biometric when voiceprints identify individuals, and state laws such as BIPA (Illinois) and regimes in Texas, Washington, and California treat certain voice data as sensitive.
About The Author
