Fitify Data Leak Exposes 138K Sensitive Progress Photos in Cloud Breach

A major Fitify data leak exposed over 373,000 user files—including more than 138,000 sensitive progress photos—due to an unsecured Google cloud storage bucket. The breach raises serious privacy concerns for the popular fitness app’s 25 million users.

Unsecured Cloud Bucket Exposes Private Media

Discovered by researchers at Cybernews, the breach was caused by a publicly accessible Google Cloud bucket owned by Fitify Workouts, the developer behind the app. No passwords or security keys were needed to access the data.

Among the 373,000 exposed files were:

• 138,000 progress photos uploaded by users tracking weight loss or body changes
• 206,000 profile images
• 6,000 body scan files, including pictures and AI-generated metadata
• 13,000 AI coach message attachments

Many of the exposed progress pictures were taken in minimal clothing, making the leak particularly sensitive. Users likely believed these images were private and shared only with the app’s AI coach feature.

Hardcoded Secrets Reveal Further Risk

Fitify’s security issues went beyond the misconfigured cloud storage. Researchers also found hardcoded secrets embedded in both development and production environments of the app. These included:

• Google Client ID and Android Client ID
• Google API Keys
• Firebase credentials
• Facebook App ID and Client Token
• Algolia API Key

These credentials could allow attackers to impersonate legitimate app instances, access user data, manipulate cloud storage content, or even extract data from third-party services like Algolia or Facebook.

Alarmingly, the researchers found that Fitify’s privacy policy failed to mention the leaked Algolia API key. Since Algolia doesn’t support self-hosting, the SaaS provider or its partners handle any stored user data.

Company Response and Next Steps

After being contacted by Cybernews, Fitify closed the exposed cloud instance. However, the company has not yet provided an official statement regarding the full scope of the breach or its mitigation efforts.

Researchers recommend a multi-pronged response:

• Revoke leaked credentials and replace them with securely stored secrets
• Audit exposed endpoints for misuse
• Update the app to eliminate dependencies on hardcoded secrets
• Strengthen cloud bucket access controls and employee permissions

Conclusion

The Fitify data leak highlights just how fragile digital privacy can be—even with a well-known app downloaded by millions. With personal fitness data, body scans, and social-linked credentials at stake, companies must take cloud security and API key management far more seriously. Until then, users can only hope to keep their sensitive images from ending up in the wrong hands.