Wearable health-tech startup Ultrahuman mentioned hackers gained unauthorized entry to prospects’ wellness knowledge after stealing an worker’s credentials by means of malware.
On Wednesday, the India-based startup knowledgeable affected prospects of the incident by way of e-mail, stating that the breach occurred on March 27 and concerned a system used for inside analytics. The corporate mentioned it detected the intrusion promptly, took the affected system offline, and revoked all entry.
Based in 2019, Ultrahuman sells sensible rings and metabolic health-tracking units that allow customers to watch metrics reminiscent of sleep, exercise and restoration. The startup is greatest identified for its Ring Air, which competes with the Oura Ring, and just lately introduced the Ring Pro with upgraded sensors and battery life.
Confirming the incident, Ultrahuman instructed TechCrunch that the attackers gained entry utilizing credentials stolen from an worker’s malware-infected laptop computer, leading to wellness knowledge belonging to about 0.1% of customers being accessed.
Primarily based on the corporate’s beforehand reported determine of roughly 700,000 monthly active users, that might equate to a minimum of 700 prospects who had their well being knowledge accessed. Ultrahuman didn’t dispute this determine, however declined to reveal the precise variety of prospects affected. The corporate mentioned no passwords, fee info, manufacturing techniques, or Ultrahuman Ring units had been compromised.
“Our safety alerting techniques detected the incident inside hours, and we closed the vulnerability swiftly,” Ultrahuman CEO Mohit Kumar mentioned in an announcement to TechCrunch.
Kumar added that the startup was notifying regulators and had delayed informing affected customers whereas it audited the complete scope of the incident and decided what knowledge had been affected.
Ultrahuman declined to share any particulars on whether or not it acquired any communication from the hackers answerable for the incident, nor say what precisely constitutes “wellness knowledge.” The breach highlights how wellness tracker startups, like Ultrahuman and in addition Oura, retailer customers’ knowledge on their servers in a approach that permits their workers — in addition to governments and malicious hackers — to entry prospects’ well being knowledge.
The startup mentioned in an FAQ published on its web site that the risk actor obtained “read-only” entry to the affected system. Nevertheless, the corporate declined to verify whether or not its investigation had decided if any buyer knowledge was exfiltrated.
Ultrahuman counts Nexus Enterprise Companions, Steadview Capital, and Blume Ventures amongst its traders. The startup has raised around $103 million so far, per Tracxn.
Once you buy by means of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
