Ultrahuman says hackers accessed customers’ wellness data via internal tool

Wearable health-tech startup Ultrahuman said hackers gained unauthorized entree to customers’ wellness information aft stealing an employee’s credentials done malware.

On Wednesday, the India-based startup informed affected customers of the incidental via email, stating that the breach occurred connected March 27 and progressive a strategy utilized for interior analytics. The institution said it detected the intrusion promptly, took the affected strategy offline, and revoked each access.

Founded successful 2019, Ultrahuman sells astute rings and metabolic health-tracking devices that alteration users to show metrics specified arsenic sleep, enactment and recovery. The startup is champion known for its Ring Air, which competes with the Oura Ring, and precocious introduced the Ring Pro with upgraded sensors and artillery life.

Confirming the incident, Ultrahuman told TechCrunch that the attackers gained entree utilizing credentials stolen from an employee’s malware-infected laptop, resulting successful wellness information belonging to astir 0.1% of users being accessed.

Based connected the company’s antecedently reported fig of roughly 700,000 monthly progressive users, that would equate to astatine slightest 700 customers who had their wellness information accessed. Ultrahuman did not quality this figure, but declined to disclose the nonstop fig of customers affected. The institution said nary passwords, outgo information, accumulation systems, oregon Ultrahuman Ring devices were compromised.

“Our information alerting systems detected the incidental wrong hours, and we closed the vulnerability swiftly,” Ultrahuman CEO Mohit Kumar said successful a connection to TechCrunch.

Kumar added that the startup was notifying regulators and had delayed informing affected users portion it audited the afloat scope of the incidental and determined what information had been affected.

Ultrahuman declined to stock immoderate details connected whether it received immoderate connection from the hackers liable for the incident, nor accidental what precisely constitutes “wellness data.” The breach highlights however wellness tracker startups, similar Ultrahuman and besides Oura, store users’ information connected their servers successful a mode that allows their employees — arsenic good arsenic governments and malicious hackers — to entree customers’ wellness data.

The startup said successful an FAQ published connected its website that the menace histrion obtained “read-only” entree to the affected system. However, the institution declined to corroborate whether its probe had determined if immoderate lawsuit information was exfiltrated.

Ultrahuman counts Nexus Venture Partners, Steadview Capital, and Blume Ventures among its investors. The startup has raised astir $103 million to date, per Tracxn.