Ultrahuman says hackers accessed customers’ wellness data via internal tool
Ultrahuman says hackers accessed customers’ wellness data via internal tool
Ultrahuman 表示黑客通过内部工具获取了客户的健康数据
Wearable health tech startup Ultrahuman said hackers gained unauthorized access to customers’ wellness data after stealing an employee’s credentials through malware. On Wednesday, the India-based startup informed affected customers of the incident via email, stating that the breach occurred on March 27 and involved a system used for internal analytics. The company said it detected the intrusion promptly, took the affected system offline, and revoked all access.
可穿戴健康科技初创公司 Ultrahuman 表示,黑客通过恶意软件窃取了一名员工的凭据,从而未经授权访问了客户的健康数据。周三,这家总部位于印度的初创公司通过电子邮件通知了受影响的客户,称此次泄露事件发生在 3 月 27 日,涉及一个用于内部数据分析的系统。该公司表示,他们及时发现了入侵行为,将受影响的系统下线,并撤销了所有访问权限。
Founded in 2019, Ultrahuman sells smart rings and metabolic health-tracking devices that enable users to monitor metrics such as sleep, activity, and recovery. The startup is best known for its Ring Air, which competes with the Oura Ring, and recently introduced the Ring Pro with upgraded sensors and battery life.
Ultrahuman 成立于 2019 年,主要销售智能戒指和代谢健康追踪设备,使用户能够监测睡眠、活动和恢复等指标。该初创公司最出名的是其与 Oura Ring 竞争的 Ring Air,最近还推出了传感器和电池寿命均有升级的 Ring Pro。
Confirming the incident, Ultrahuman told TechCrunch that the attackers gained access using credentials stolen from an employee’s malware-infected laptop, resulting in wellness data belonging to about 0.1% of users being accessed. Based on the company’s previously reported figure of roughly 700,000 monthly active users, that would equate to at least 700 customers who had their health data accessed. Ultrahuman did not dispute this figure but declined to disclose the exact number of customers affected. The company said no passwords, payment information, production systems, or Ultrahuman Ring devices were compromised.
Ultrahuman 在向 TechCrunch 证实此事时表示,攻击者利用从一名员工感染恶意软件的笔记本电脑中窃取的凭据获得了访问权限,导致约 0.1% 用户的健康数据被访问。根据该公司此前报告的约 70 万月活跃用户数计算,这意味着至少有 700 名客户的健康数据被访问。Ultrahuman 对此数字未予反驳,但拒绝透露受影响客户的确切人数。该公司表示,没有密码、支付信息、生产系统或 Ultrahuman Ring 设备受到损害。
“Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,” Ultrahuman CEO Mohit Kumar said in a statement to TechCrunch. Kumar added that the startup was notifying regulators and had delayed informing affected users while it audited the full scope of the incident and determined what data had been affected.
Ultrahuman 首席执行官 Mohit Kumar 在给 TechCrunch 的声明中表示:“我们的安全警报系统在数小时内就检测到了此次事件,我们迅速关闭了漏洞。”Kumar 补充说,初创公司正在通知监管机构,并推迟了通知受影响用户的进度,以便审计事件的全部范围并确定哪些数据受到了影响。
Ultrahuman declined to share any details on whether it received any communication from the hackers responsible for the incident and didn’t say what exactly constitutes “wellness data.” The breach highlights how wellness tracker startups, like Ultrahuman and Oura, store users’ data on their servers in a way that allows their employees — as well as governments and malicious hackers — to access customers’ health data.
Ultrahuman 拒绝透露是否收到了负责此次事件的黑客的任何沟通信息,也没有说明“健康数据”具体包含哪些内容。此次泄露事件凸显了像 Ultrahuman 和 Oura 这样的健康追踪初创公司是如何将用户数据存储在服务器上的,这种存储方式使得其员工——以及政府和恶意黑客——能够访问客户的健康数据。
The startup said in an FAQ published on its website that the threat actor obtained “read-only” access to the affected system. However, the company declined to confirm whether its investigation had determined if any customer data was exfiltrated. Ultrahuman counts Nexus Venture Partners, Steadview Capital, and Blume Ventures among its investors. The startup has raised around $103 million to date, per Tracxn.
该初创公司在其网站发布的常见问题解答中表示,威胁行为者获得了受影响系统的“只读”访问权限。然而,该公司拒绝确认其调查是否确定了是否有任何客户数据被窃取。Ultrahuman 的投资者包括 Nexus Venture Partners、Steadview Capital 和 Blume Ventures。据 Tracxn 数据显示,该初创公司迄今已筹集约 1.03 亿美元。