Cyber Incident Victim: Glofox
Date:
Nov 2020
Location:
Ireland
Summary
Glofox, an Irish gym management software provider, investigated a potential data breach after reports emerged that its database was compromised by the ShinyHunters hacking group alongside other companies. Personal information including names, addresses, phone numbers, encrypted passwords, and dates of birth may have been exposed, though financial data remained unaffected. The company acknowledged external reports of the incident on social media, informing customers it had identified and closed the breach vector while recommending password resets as a precautionary measure. Affiliated gyms relayed these assurances to members, emphasizing no plain-text credentials were leaked but advising updates to reused passwords across other platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late November 2020, Irish gym management software provider Glofox initiated an investigation into a potential data breach following external reports of unauthorized access to user information. The incident was linked to ShinyHunters, a known cybercriminal group that simultaneously targeted multiple organizations, including children's platform Animal Jam which suffered a breach affecting 46 million accounts. Glofox acknowledged the situation through Twitter responses to concerned users, stating they would communicate directly with impacted customers upon completing their investigation. Several gyms utilizing Glofox's platform notified their members about the security incident, with one confirming Glofox had identified and closed the vulnerability pathway responsible for the breach. While financial data and credit card details remained secure, compromised information potentially included names, addresses, phone numbers, encrypted passwords, and dates of birth. Affected gyms advised users to reset Glofox passwords as a precautionary measure and update credentials on other platforms where passwords had been reused, despite no evidence of plaintext password exposure.
Glofox, founded in 2014 by Conor O'Loughlin, Anthony Kelly, and Finn Hegarty, provided business management tools to fitness facilities and had recently expanded services to include live-streaming capabilities during the COVID-19 pandemic. The company had secured $20 million in total funding by 2020, including a $10 million investment earlier that year. The breach occurred amid heightened activity by ShinyHunters, which Wired magazine reported had attempted to sell nearly 200 million stolen records from over 10 companies on dark web markets earlier in 2020. By November, Forbes documented the group's shift to publicly releasing 386 million records from 18 alleged breaches on cybercrime forums. While Glofox maintained direct communication with affected gym operators regarding containment measures, the company did not issue public statements beyond its Twitter responses or disclose the exact number of impacted users. The incident highlighted operational security challenges faced by SaaS providers serving the fitness industry during rapid digital transformation prompted by pandemic restrictions.