Ultrahuman has confirmed that hackers accessed a small portion of customer wellness data after stealing an employee’s credentials from a malware-infected laptop. The incident affected an internal analytics system, not customer passwords, payments, production systems, or Ring devices.
TL;DR
- Hackers accessed Ultrahuman customer wellness data on March 27.
- The breach involved an internal analytics system and stolen employee credentials.
- Ultrahuman says about 0.1% of users were affected.
- No passwords, payment data, production systems, or smart rings were compromised.
Ultrahuman Breach Exposes Wellness Data Through Stolen Employee Credentials
Wearable health tech startup Ultrahuman is notifying affected customers after hackers gained unauthorized access to wellness data through an internal analytics tool. The India-based company said the breach took place on March 27 and was detected promptly.
According to Ultrahuman, the attackers used credentials stolen from an employee’s malware-infected laptop. Once the intrusion was detected, the company took the affected system offline and revoked all access.
“Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,” Ultrahuman CEO Mohit Kumar said in a statement.
Ultrahuman Says 0.1% Of Users Were Affected In The Health Data Incident
Ultrahuman said the exposed information belonged to about 0.1% of its users. Based on the company’s previously reported figure of roughly 700,000 monthly active users, that could mean at least 700 customers had health-related data accessed.
The startup did not dispute that estimate but declined to share the exact number of affected users. It also did not clarify what specific information falls under “wellness data.”
In an FAQ, Ultrahuman said the threat actor obtained “read-only” access to the affected system. However, the company did not confirm whether its investigation found that any customer data was exfiltrated.
Topics For More Insights
- Meta’s AI Support Bot Lets Hackers Hijack Instagram Accounts
- Iran-Linked Hackers Blamed For LA Metro Breach That Hit Systems And Recovery
- UK Visa Portal Faces Scrutiny After Thousands Of Passports And Selfies Leaked!
- Anthropic’s ‘Too Powerful’ Mythos Triggers Global Alarm Bells & Hackers May Already Be Inside
Why Ultrahuman’s Data Breach Raises Bigger Wearable Privacy Questions
Ultrahuman, founded in 2019, sells smart rings and metabolic health-tracking devices that monitor metrics such as sleep, activity, and recovery. Its Ring Air competes with the Oura Ring, while its newer Ring Pro adds upgraded sensors and battery life.
The company said no passwords, payment information, production systems, or Ultrahuman Ring devices were compromised. Kumar added that Ultrahuman was notifying regulators and delayed informing users while it audited the scope of the breach.
Still, the incident puts a spotlight on how wellness tracker companies store sensitive health data on servers. When that data is accessible through internal systems, employees, governments, and malicious hackers can become part of the privacy risk equation.
