Hacker claims to have 305,000 PayAsUGym customers’ data up for sale (Updated)

PayAsUGym iPhone Screenshots

PayAsUGym is a brilliant concept, enabling customers to find and use their nearest gym no matter where their work or day takes them. The network currently has 2,500 fitness centers in the U.K. and customers who purchase monthly passes have unlimited access to their chosen gym, but also access to all gyms of same monthly price or less, without any cap on access. It sounds like a dream arrangement for those who are really serious about working out and want to be able to go to a gym no matter where they are.

But with growth comes challenges, and PayAsUGym [Sandcroft Avenue Limited (trading as ‘PayasUgym’)] has apparently been massively hacked this week by an underground researcher who calls himself “1×0123” (@real_1x0123) on Twitter.

1×0123 attempted to contact the firm’s Twitter team early yesterday:

Getting no response, although the Twitter team was online at the time, he followed up with another tweet one hour later:

1×0123 also emailed the firm. In addition to including more than one dozen screenshots proving access, copies of which were provided to DataBreaches.net, he noted the lack of response from them, and wrote (typos as in the original):

this is getting more scary since my findings are escalated from vulnerability of reading files on your server into taking full controll of the server ..

and to prove that i can controll your server files , i uploaded a new file on http://admin.payasugym.com/1.php and added my email , also i have permissions to read/write on the server + delete content + change content from the home page ..

to prove that .. here is a couple screenshots and some data i got from the server

here list of what i found + able to do

Controll domains including subdomains as shown on the screenshots below

Read all databases inside MySQL ( wich has clients sensetive data + logins + admins details including names,phone numbers,job title

Tested some of the logins i found inside the database on the site itself and it worked ( check screenshot below )

Upload new files , delete files , modify files , as it shown in screenshots also

Read source code of the site

Access to SFTP to manage files ( Found MySQL backups of all databases )

Access to SSH to controll the server

Still, there was no response. Nor has PayAsUGym responded to an emailed inquiry from DataBreaches.net, alerting them to the claimed hack, despite their auto-responder indicating that I should have had a response within two hours of their receipt of my email yesterday. DataBreaches.net also sent a second email request, but again, received no response by the time of this publication.

Personal Information

In an encrypted chat with DataBreaches.net, 1×0123 claimed that, using a 0day provided by a friend, he had acquired personal information on 305,000 customers. Sample data he provided revealed customers’ names, addresses, telephone numbers, email addresses, passwords, date of birth, and hashed credit card numbers. There were a number of .gov email addresses, raising additional concerns as to whether this breach could be used for spear-phishing government employees in the UK.  Administrator accounts were also obtained.

PayAsUGym claims that they use

leading technological and security measures (electronic, physical and procedural) to ensure the safety and confidentiality of your Customer Information through collection , storage and disclosure. Such measures include maintaining a secure encryption based transmission system, intrusion detection and prevention software and virus protection software in respect of Customer Information.

Customer login passwords for the portal were not in strong encryption. Nor do they use a strong password for login to SSH/SFTP. 1×0123 informs DataBreaches.net that the password for those was “getme1n.” And despite its statement that might suggest that all customer data are stored in the UK:

Customer Information collected by PayasUgym is stored on a central database hosted by UK Fast our carefully selected third party provider in the UK.

a screenshot provided by 1×0123 shows that customer data was on a server in Holland:

1×0123 sent PayAsUGym proof of access to SSH. It looks like there are a lot of updates that haven’t been performed on the server, including 126 security updates? 

DataBreaches.net attempted to validate the customer data sample provided by 1×0123 in two ways. Some email addresses were tested by inputting them to the login page, but no attempt was made to use the passwords. DataBreaches.net also sent email inquiries to a small sample of customers, asking them for a comment on the situation. Two of those emails bounced back as user unknown, but the others were delivered. None of those contacted have as yet responded, however.

This story will be updated if PayAsUGym responds. In the meantime, as of this morning, 1×012 informs DataBreaches.net that the firm appears to have detected the shell, but that he still has the full database and MySQL backups.

Of possible concern to customers, both 1×0123 and “BugBusters7” have indicated the database and source are now up for sale:

Tweet announcing PayAsUGym database will be up for sale.

1×0123 informs this site that he hopes to get 2 BTC for everything.

DataBreaches.net has also contacted the Information Commissioner’s Office to request a statement.

This post will be updated if more information becomes available.

Update1: @BugBusters7 has begun giving away some of the files for free, and says that there will be more. The users/pwds file has over 300,000 entries: email addresses and MD5 passwords.

Update2: PayAsUGym’s site says “down for maintenance” and they have notified their customers:

PayAsUGym’s email to customers. Via Troy Hunt.


About the author: Dissent

Comments are closed.