‘Town Sports’ Has Exposed 600,000 Members and Employees via an Unprotected Database

  • ‘Town Sports’ has exposed the sensitive details of hundreds of thousands of members and employees.
  • The information that has leaked online includes names, addresses, phone numbers, and credit card data.
  • The gym chain wasn’t doing very well given the situation with COVID-19, and this looks like the final nail in the coffin.

‘Town Sports,’ the owner of gym and fitness club chains’ New York Sports Club,’ ‘Boston Sports Clubs,’ ‘Philadelphia Sports Clubs,’ ‘Washington Sports Clubs’, ‘Lucille Roberts’, and ‘TMPL Gym Total Woman Gym and Spa,’ has exposed the sensitive details of 600,000 of its employees and members. The security incident resulted from a database misconfiguration that made it accessible from anyone with a web browser, not requiring any authentication or passwords.

The type of data that was contained in the database includes the following:

  • full names
  • billing histories
  • phone numbers
  • email addresses
  • street addresses
  • payment type
  • credit card vendor
  • credit card type
  • credit card expiration date
  • last four digits of credit cards
  • payment dates
  • invoice details

creditcard list
Source: Comparitech

Source: Comparitech

Not all database entries contained the full set of details mentioned above, but we’re still talking about highly sensitive information in every case. The date when the database first appeared on specialized search engines is November 30, 2019.

Town Sports eventually secured the database on September 22, 2020 - a day after the researchers who discovered the leaky bucket informed them of the fact. This practically means that the chances of this data not having reached multiple hackers already are slim to non-existent.

Related: “Telmate” Prison Communications Exposes Personal Data of Millions

A typical way for malicious actors to use these details would be to engage with the victims in phishing attacks, especially for acquiring full credit card numbers. All of the rest is already available, so hackers would only need a few missing digits to unlock their access to “unlimited” purchasing of online goods using other people’s money.

If you are among the affected individuals, be very careful with incoming communications that arrive in the form of emails, SMS, or even phone calls. Crooks know a lot about you, and they are masters of social engineering.

This incident couldn’t have come at a worse time for ‘Town Sports,’ their clients, and their employees. COVID-19 has forced the company to close down 185 gyms and let most of its personnel go. Additionally, they continued to charge members allegedly by mistake.

Ten days ago, ‘Town Sports’ filled for Chapter 11 bankruptcy, reporting liabilities of $500 million. That said, expecting any form of identity protection services from them is unrealistic at the moment, and from what we know, they didn’t even inform the exposed individuals yet.

How to Watch Yes, Chef! Christmas Online from Anywhere
Yes, Chef! Christmas follows Alicia, a culinary school instructor with no goals or aspirations. When Alicia receives an invitation to compete in...
How to Watch European Rugby Champions Cup 2023 Online Free: Live Stream the Matches from Anywhere 
The tenth season of the European Rugby Champions Cup, aka Investec Champions Cup, is upon us. Rugby fans in the UK can...
How to Watch Round and Round Online from Anywhere
Round and Round is an odd Christmas tale about Rachel, who is stuck in a time loop, and forced to relive the...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari