Putting Members’ PII and Voices at Risk

A cybersecurity researcher reports discovering an openly accessible database tied to Hello Gym, a Minnesota-based communications and lead-management vendor for fitness businesses. The storage bucket, which required no password and used no encryption, held 1,605,345 MP3 audio files—internal phone calls and voicemails referencing gym members across the U.S. and Canada. In spot checks, recordings included names, phone numbers, and call reasons (often billing issues, payment updates, or membership renewals). File listings suggested the cache spanned 2020–2025. After the researcher alerted Website Planet and contacted a corporate privacy team from one affected brand, franchisees confirmed they were using a third-party tool; the contractor was identified as Hello Gym, and public access was restricted within hours. The duration of exposure and whether others accessed the data remain unknown; only a forensic review could confirm additional activity.

Although several well-known chains were referenced in calls, corporate representatives said they do not record audio centrally; rather, independent franchise locations had adopted a third-party solution. Evidence in filenames and metadata pointed to Hello Gym’s VoIP and call-recording stack as the source, consistent with the company’s services (call handling, automated outreach, and sales enablement for fitness studios). Beyond obvious privacy concerns, the recordings create high-value fodder for social-engineering: criminals could impersonate staff to solicit card updates or “cancellation fees,” citing precise dates, times, and membership details pulled from voicemails. Some clips reportedly captured employee verification details—names, location codes, and even passwords used when contacting corporate support—raising the risk of account manipulation. One recording involved a manager giving credentials to disable a security alarm for testing, a detail that could be misused to attempt after-hours entry. The exposure also raises biometric issues: short audio snippets can enable AI voice cloning, a capability that has featured in recent, high-value frauds. In the U.S., the FTC treats voice recordings as biometric information when voiceprints can identify a person, and states such as Illinois (BIPA), Texas, Washington, and California have laws recognizing voice data as sensitive.

Why this matters

Audio leaks combine PII with context—who called, about what, and when—dramatically boosting the credibility of phishing and vishing scams. The presence of staff credentials or internal processes in recordings widens the blast radius to operational abuse. And unlike emails or spreadsheets, voice carries biometric signals that can be cloned and replayed across channels (phone, messaging apps, deepfake video) to bypass human intuition.

What affected members and staff can do

Be skeptical of unsolicited calls about billing or account changes—even if the caller cites real-sounding details. Hang up and re-dial using official numbers from the gym’s website or app. Avoid sharing payment data by phone; use the official portal instead. Consider family or team codewords for urgent calls and enable strong security on email and mobile accounts to blunt follow-on attacks.

What companies and franchisees should do now

• Lock down storage: Require authentication, enable encryption at rest, and remove public ACLs on any bucket holding recordings.
• Minimize and segment data: Retain only what’s necessary, archive older files offline, and isolate recordings from other systems.
• Scrub sensitive audio: Eliminate recording of passwords, PINs, or alarm codes; train staff to move verification into secure channels.
• Harden VoIP and logging: Enforce MFA for dashboards, rotate API keys, and restrict access by IP and role.
• Test and monitor: Run external attack-surface scans, conduct periodic pen tests, and deploy alerting for anomalous access.
• Vendor diligence: Demand evidence of security controls (SOC 2/ISO 27001), data-handling practices, and incident response from third-party platforms.

The researcher emphasizes that these scenarios are hypothetical and educational; there is no claim that Hello Gym’s customers or members were actively targeted or harmed. The database was secured promptly after responsible disclosure, and liability or wrongdoing by any party is not implied.