PayAsUGym breach exposes passwords

Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords.

In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later claimed that they planned to sell off the compromised database through underground markets.

PayAsUGym apparently used the obsolete MD5 hashing technology, making it straightforward to work out the corresponding passwords using a brute force attack and dictionary lookups.

Troy Hunt, the security researcher behind the haveibeenpwned breach notification website, warned over the weekend that “PayAsUGym data appears to be circulating with “more than 400k unique emails in there for UK customers”.

Hunt reposted a notice that admitted email addresses and passwords might have been breached. PayAsUGym, which says that it doesn’t store credit card numbers, has reset user passwords.

Password reuse is always a bad idea. Those users who their PayAsUGym password at other sites are particularly exposed to so-called credential-stuffing attacks, where hackers try passwords exposed at one site at other sites.

Luke Brown, VP and GM EMEA at Digital Guardian, said: “It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks.

“This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information,” he added.

PayAsUGym offers flexible access to day passes, fitness classes and no-contract membership at over 2,200 UK gyms. The firm is yet to respond to a request from El Reg to confirm the number of breached records. ®