An unsecured database managed by Hello Gym has exposed over 1.6 million audio recordings of gym members. Learn why this data leak leaves customers vulnerable to spear-phishing, deepfakes, and identity theft.
A data exposure incident has hit Hello Gym, a Minnesota-based company that provides technology services to the fitness industry. Website Planet’s cybersecurity researcher Jeremiah Fowler discovered a database that was not protected by a password, exposing a substantial number of audio files.
A Look at the Exposed Data
Fowler’s findings, shared with Hackread.com, reveal that the database contained more than 1.6 million audio files (specifically 1,605,345 files), which included phone recordings and voicemails collected from 2020 to 2025. These files contained personal details that could be used for various malicious purposes. The data got exposed for being stored in an unprotected storage area, which means anyone with the right knowledge could access it without needing a password.
Further probing revealed that the records belonged to numerous gyms across the US and Canada. While the calls referenced well-known fitness brand names, Fowler identified that a third-party contractor, Hello Gym, managed the database. He confirmed this by speaking with corporate representatives who clarified that while the corporations themselves don’t record audio, some independent franchisees were using a third-party service for this purpose.
The concerning aspect is that the information inside the audio files includes customer names, phone numbers, and the reasons for their calls to the gym. This type of data is referred to as Personally Identifiable Information, or PII, and its exposure could potentially leave gym members and staff vulnerable to significant risks.
It is worth noting that the database was secured within hours of the researcher’s disclosure. However, it is not known how long the database was exposed or whether anyone else gained access to it.
Risks and Dangers
In a world where technology is always advancing, audio recordings, especially those containing a person’s voice, are highly valuable to cybercriminals as these can be used for spear-phishing or social engineering attacks, impersonation, or identity theft. As Fowler noted in the blog post that audio recordings and voicemails “should not have been publicly accessible, as they often included personal details.”
For example, a scammer could use the specific details from a voicemail to build trust and trick someone into giving away more private information. They could easily impersonate gym staff members and convince them to share sensitive payment information or other private data.
Furthermore, voice data can be used to create deepfakes, which refer to convincing but false recordings, and use them to impersonate individuals for scams or financial crimes. Though the immediate securing of the database is a positive step, the exposure of such sensitive data highlights the critical need for all companies to be alert in protecting their customers’ information.
