Cyber Incident Victim: Wahoo Fitness

In December 2020, a data breach broker advertised stolen user records from twenty-six companies on a hacker forum, totaling 368.8 million records. Among these, Wahoofitness.com was listed as one of eight new previously undisclosed breaches, with 1.7 million user records offered for sale. The broker’s forum post, discovered by BleepingComputer, revealed that Wahoofitness.com’s data was part of a larger batch of compromised databases marketed collectively. At the time of reporting, the broker had not yet determined a specific price for Wahoofitness.com’s dataset, unlike other companies like Teespring.com or MyON.com, which had assigned values ranging from $1,800 to $4,000. The incident represented a broader pattern of threat actors collaborating with brokers to monetize stolen data through underground channels.

BleepingComputer contacted multiple companies listed as new breaches, including Wahoofitness.com, but received no confirmation or response regarding the incident. MyON acknowledged a breach but asserted no sensitive student data was exposed, while Chqbook.com denied any compromise. Teespring.com had quietly disclosed a June 2020 breach via a noindex-tagged webpage but ceased communication with researchers. No public statement or breach notification from Wahoofitness.com was identified in the source material. Historical context indicated that similarly marketed breaches often proved legitimate, with companies later confirming incidents after public exposure. The exposure of Wahoofitness.com user records raised concerns about potential credential-stuffing attacks or phishing campaigns, as observed with Teespring users who reported malicious emails. The full scope of data types stolen from Wahoofitness.com was not detailed in available samples, unlike MyON’s confirmed exposure of login names, hashed passwords, and names.