A popular fitness app just leaked 42 million records of user data

Personal data stealing. Social media. Thief. Conceptual illustration. Flat editable vector illustrat...


Number of records leaked, according to a vpnMentor report.


It goes without saying that COVID-19 has disrupted the day-to-day business for multiple industries, especially restaurants, theaters, and bars. But it has also provided an inadvertent opportunity for the creators of smart fitness apps. Indoor workouts are on the rise, gym shorts are disappearing from Amazon shelves, people are buying fitness bikes, yoga mats, pilates equipment, and much more.

Whether this rush to nab workout programs and items is out of boredom or an impulse to build immunity, the fitness app industry is set to boom as lockdown orders increase. And already security issues are popping up.

According to vpnMentor, which has previously reported on similar data leaks, an unsecured database belonging to the fitness app Kinomap leaked 42 million records of private user data. If this treasure trove of deeply sensitive information landed in the wrong hands, the consequences for Kinomap and its subscriber base in more 80 countries would have been dire.

What is Kinomap? — Kinomap is a popular fitness app among rowing, cycling, and running enthusiasts. The app collects and presents immersive visual content shared by professional trainers as well as private users. The idea is to imitate outdoor activity for an indoor workout. For the quarantined individual who wants to get their daily workout fix, it's the perfect program.

Repercussions of an unsecured database — According to vpnMentor, the cybersecurity research firm reached out to Kinomap's creators but never heard from them. The data leak was closed around April 14, the firm reports. But if the information reached bad actors online, the repercussions of Personally Identifiable Information (PII) belonging to Kinomap users around the world would have been distressing.

According to vpnMentor, the unsecured database contained information related to Kinomap users' full names, home countries, their personal email addresses, their Kinomap usernames, stated gender on profiles, when they logged in individual workouts, and the time they joined the app. The consequences of such a leak could have been twofold. Firstly, it would expose private users to fraud, phishing campaigns, and malware. Unsuspecting users would be tricked into providing their financial credentials like credit card details to hackers. As for the company, it would likely have been a target for financial fraud.


A security headache under COVID-19 — As vpnMentor notes, the France-based Kinomap has an ethical obligation to report this database incident to the Commission nationale de l’informatique et des libertés (CNIL), which is the country's independent security watchdog.

Kinomap should be proactive about tightening its servers. If it fails to follow these fundamental procedures, Kinomap users might abandon the app. After all, homebound people shouldn't have to compromise their privacy for an effective workout.