An unsecured database managed by Hello Gym, a tech provider for fitness franchises in the U.S. and Canada, exposed more than 1.6 million audio recordings of gym members—including voicemails and call logs collected from 2020 to 2025. The files, which included member names, phone numbers, and call details, were accessible without authentication and could be played directly in web browsers.
The breach was discovered by cybersecurity researcher Jeremiah Fowler of Website Planet, who reported it to. The database was secured within hours of disclosure, but it’s unknown how long it remained exposed or whether any malicious actors accessed the data
Why It Matters
Voice recordings carry a high risk profile: they can be weaponized for spear-phishing, social engineering, or impersonation. In the era of AI deepfakes, stolen audio can be used to craft convincing scams or fake calls that appear authentic, putting individuals, and potentially businesses at heightened risk
Key Takeaways
- Hello Gym leak exposed 1,605,345 audio files containing PII.
- The database was publicly accessible without password protection.
- Files included names, phone numbers, and reasons for gym member calls.
- Audio data can be leveraged for phishing, impersonations, and deepfakes.
- The leak was fixed quickly, but the duration and potential misuse remain unclear.
Source:HackRead (reporting by Deeba Ahmed)
