Fitness Platform Breach Exposes 1.6 Million Customer and Staff Audio Files

A communications and lead management platform used by fitness centers across the United States and Canada has exposed 1.6 million audio files, including the voicemails and internal phone calls of gym members and staff. The unsecured and unencrypted database, belonging to the Minnesota-based company Hello Gym, was discovered by a cybersecurity researcher and secured within hours of his disclosure. It is not yet known how long the data was exposed or if it was accessed by malicious actors.

The database contained 1,605,345 audio files in .mp3 format, with recordings dating from 2020 to 2025. A review of a sample of the files revealed they contained personally identifiable information, including names, phone numbers, and the reasons for the calls. These often related to billing issues, payment information updates, or membership renewals.

Hello Gym provides services to the fitness industry such as business-class VoIP, inbound call answering, and lead management to help gyms scale their business. While the exposed audio files referenced well-known fitness brands, the database was managed by Hello Gym, a third-party contractor. Some independent franchisees of these larger brands reportedly used Hello Gym's services.

The exposure of these audio recordings presents a number of risks to both gym customers and staff. In some instances, employees were heard giving out personal passwords and gym IDs for account changes. In another recording, a manager provided alarm credentials to a monitoring service, information that could potentially be used to gain unauthorized physical access to a gym.

"This is a significant breach of privacy with serious potential consequences," said a website security expert from Hacked SEO, a company that helps businesses recover from cyberattacks. "Scammers could easily use the details from these recordings to impersonate gym staff and trick members into providing credit card information for fake cancellation fees or other fraudulent charges. The availability of voice recordings also opens the door for sophisticated social engineering attacks and even the training of deepfake voice agents."

The security researcher who discovered the breach, Jeremiah Fowler, noted that the exposed data could be used to build complete victim profiles, especially targeting public figures or high-net-worth individuals. The incident highlights the importance for businesses to properly secure their data and to carefully vet the security practices of their third-party vendors.