Security researcher Jeremiah Fowler said he discovered an unencrypted Amazon Web Services S3 bucket used by HelloGym that contained about 1.6 million audio recordings from gym members and staff. The MP3 files, stamped with dates ranging from 2020 to 2025, included callers’ names, phone numbers and reasons for contact such as membership renewals or cancellations. The bucket was left open without authentication for about a week in late July, Fowler said.
Fowler traced the data to HelloGym, a provider of sales, marketing, and VoIP call services for major gym brands including Anytime Fitness, Snap Fitness, and UFC Gym. He said it required contacting individual gyms to determine the company behind the repository, and HelloGym declined to comment on the incident.
The exposed recordings could enable criminals to conduct real-time impersonation and social engineering, such as calling a member back and posing as a staffer to obtain payment details or demand fraudulent cancellations. The audio files could be played in a standard web browser without a password, and some calls showed employees sharing personal passwords or other credentials to verify account changes.
Experts warn the breach underscores the evolving risk posed by voice data and AI-enabled spoofing. While the report notes that some AI tools can clone voices from short samples, the practical threat already exists as criminals increasingly use deception to bypass verification steps and access sensitive information.
Recommended mitigations include encryption of stored data, regular penetration testing to identify misconfigured or exposed storage, and data minimization practices, such as segmenting and securely deleting records no longer in use. Fowler urged organizations to audit retention policies and securely back up older data to limit exposure in a breach. The findings were summarized in a piece published by WebsitePlanet.