A massive, unprotected dataset of 1,605,345 audio files — calls and voicemails collected between 2020 and 2025 — was found publicly exposed and appears to have been managed by Hello Gym, a Minnesota-based communications and lead-management vendor serving the fitness industry. The files required no password and were not encrypted, leaving members’ names, phone numbers and other sensitive details available to anyone who found the storage repository.
Researcher Discovered Files and Notified Vendor and Press
Cybersecurity researcher Jeremiah Fowler discovered the open repository and reported it to Website Planet. In a limited sample of the exposed files Fowler heard personally identifiable information being spoken aloud, including callers’ names, phone numbers and the reason for the call. Fowler told Website Planet that the recordings covered routine but sensitive topics such as billing queries, membership renewals and payment updates. Multiple major franchisees and at least one corporate representative acknowledged the issue to the researcher.
Scale and Timeframe of the Exposure
The dataset consisted of .mp3 recordings totalling 1,605,345 files, dated from 2020 through 2025. The repository was publicly accessible without authentication or encryption controls. After Fowler disclosed the leak to Hello Gym, the database was secured reportedly within hours, though it remains unclear how long the recordings had been exposed prior to discovery.
Types of Information Contained in the Recordings
In his sampling, Fowler observed that recorded call content routinely contained:
- Personal names and phone numbers
- Billing information and payment discussions
- Membership details and subscription status
- Reasons for service calls (cancellations, renewals, updates)
Because the sensitive data appears in call audio, it often includes context that text logs would not — for example, spoken account numbers, card details, or explicit instructions provided over the phone.
Potential Abuse Scenarios Identified by Researcher
The public exposure raises multiple abuse risks. Fowler warned that criminals could use the recordings to craft highly targeted spear-phishing and social-engineering calls, impersonate gym staff, request updated payment information, or demand bogus cancellation fees. He also noted the recordings could be valuable training data for deepfake voice agents, enabling more convincing fraud.
Hello Gym secured the repository after notification, but the vendor has not publicly disclosed how long the data was exposed or which specific gym brands and franchise locations were affected in full. Several franchisees and one corporate contact acknowledged the breach to the researcher, indicating the issue touched multiple organizations across the U.S. and Canada.
Security Recommendations Reported by the Researcher
Fowler urged standard vendor-security measures — reported here as the researcher recommended them — including using encryption at rest, restricting and segmenting access to audio archives, deleting stale recordings, performing regular vulnerability testing, and evaluating third-party vendors’ security practices before sharing customer data. These recommendations were presented as the researcher’s findings and guidance following the disclosure.
Hello Gym’s platform serves as a third-party contractor for gyms; affected members should assume that call audio may have contained personally identifiable information and treat unsolicited calls with extra caution. The researcher advised that consumers verify caller identity before sharing any financial or personal details and remain skeptical of unexpected requests relating to payments or account changes.
