Ultrahuman hackers stole customer wellness data via internal tool
▼ Summary
– Hackers accessed customer wellness data after stealing an employee’s credentials via malware, affecting about 0.1% of users.
– The breach occurred on March 27 and was detected within hours; the affected system was taken offline and all access revoked.
– No passwords, payment information, production systems, or Ultrahuman Ring devices were compromised.
– The company notified affected customers and regulators but delayed disclosure while auditing the full scope of the incident.
– Ultrahuman declined to confirm if data was exfiltrated or share details on communications with the hackers.
Wearable health tech company Ultrahuman has confirmed that hackers accessed customer wellness data after stealing an employee’s login credentials through malware. The breach, which the India-based startup disclosed to affected users via email on Wednesday, involved an internal analytics system and occurred on March 27.
According to the company, the intrusion was detected within hours, prompting an immediate shutdown of the compromised system and a revocation of all access. Founded in 2019, Ultrahuman is best known for its Ring Air, a direct competitor to the Oura Ring, and recently launched the Ring Pro with enhanced sensors and extended battery life. The startup’s devices track sleep, activity, and metabolic health metrics.
In a statement to TechCrunch, Ultrahuman CEO Mohit Kumar explained that the attackers gained entry using credentials stolen from an employee’s laptop infected with malware. This breach resulted in the exposure of wellness data belonging to roughly 0.1% of users. Based on Ultrahuman’s previously reported figure of approximately 700,000 monthly active users, that equates to at least 700 customers whose health data was accessed. While the company did not dispute this estimate, it declined to reveal the exact number of affected individuals.
Ultrahuman emphasized that no passwords, payment information, production systems, or Ultrahuman Ring devices were compromised. “Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,” Kumar said. He added that the startup is notifying regulators and intentionally delayed informing users until it could fully audit the scope of the breach and determine exactly what data had been accessed.
The company has not disclosed whether it received any communication from the hackers, nor did it specify what constitutes “wellness data” in this context. This incident underscores a broader concern: wellness tracker startups, including Ultrahuman and Oura, store user data on servers in ways that allow employees, governments, and malicious actors to potentially access sensitive health information.
In an FAQ posted on its website, Ultrahuman noted that the threat actor obtained “read-only” access to the affected system. However, the company declined to confirm whether its investigation had determined if any customer data was actually exfiltrated.
Ultrahuman has raised approximately $103 million to date, with backing from investors including Nexus Venture Partners, Steadview Capital, and Blume Ventures.
(Source: TechCrunch)
