Sensitive user files from the popular fitness app Fitify have been secured after cybersecurity researchers discovered a publicly accessible Google Cloud storage bucket containing hundreds of thousands of images, including body scans and personal progress photos.

“A Google Cloud bucket is simply a filing cabinet in the virtual space,” said cybersecurity expert Ritesh Kotak in a video interview with CTVNews.ca. “Your files, your digital data, all the searches … need to be housed somewhere, and it’s usually housed in a cloud bucket and Google is one of the more popular (ones).”

The exposed storage, now closed, was discovered by researchers at Cybernews in early May.

Their report says more than 373,000 files were accessible without any password protection or security keys. It also says Fitify Workouts, the company behind the app, shut down the exposed cloud storage after being contacted by Cybernews.

According to the Cybernews report, while many of the files were workout plans and instructional videos, researchers also found 206,000 user profile photos, 138,000 progress photos, and roughly 6,000 images labelled “Body Scan.” Some of the files, it says, had been shared through Fitify’s AI coaching feature, which lets users track body changes over time.

According to its website, Cybernews is an “independent media outlet, where journalists and security experts debunk cyber by research, testing and data.”

CTVNews.ca has reached out to Fitify Workouts for comments, but did not receive a response by the time this article was published.

According to Cybernews researchers, “progress pictures” and “body scans” are often captured with minimal clothing to better showcase the progress of weight loss and muscle growth, so most of the leaked images might be of the types that users normally would like to keep private.

Kotak says the exposure likely happened when someone with access created a public link that wasn’t secured or expired.

“If you’re able to get that link, you’re able to access it,” he said. “There is a significant risk of harm to an individual given the sensitivity of the information.”

Fitify’s Google Play description tells users their data is “encrypted in transit.” But Cybernews researchers said the cloud storage was accessible to anyone with a link, and the files were not encrypted at rest, meaning anyone could view or download the content.

“This leak shows that the access controls implemented by the app were insufficient to secure user data,” Cybernews said in its report. “The fact that this data could be accessed by anyone without any passwords or keys demonstrates that user data was not encrypted at rest.”

Kotak questioned why such data was stored in the cloud in the first place.

“Why was this data not encrypted? Why was it uploaded to the cloud at all, instead of stored on the user’s device?” he asked. “These are serious security oversights.”

Kotak says users should be cautious when sharing personal information with fitness and health apps, especially when biometric data or photos are involved.

“When you sign up for an app … you’re entrusting an organization with some very sensitive and personal information,” he said. “Think before you click and just be cognizant that once your information is put into the hands of one of these organizations, there is a possibility that a breach like this can occur.”