Cybersecurity researcher Jeremiah Fowler has reported a major data breach linked to Hello Gym, a company that provides telephony services for the fitness industry in the United States and Canada. The exposed dataset contained more than 1.6 million call recordings and voicemails, including names, phone numbers, and other personal details of customers. The information was stored in a repository without any password protection or encryption, amounting to 1,605,345 .mp3 files collected between 2020 and 2025.
Upon reviewing a sample of the files, Fowler found numerous mentions of sensitive personal information, including contact details and reasons for calls. These ranged from payment issues and membership renewals to inquiries about access cards and other matters often involving confidential data. Such recordings could be exploited in targeted social engineering and phishing attacks, with criminals posing as gym staff to trick clients into revealing bank card details or paying fraudulent fees. Fowler also warned that the recordings might be used to train systems capable of generating convincing synthetic voices.
Several franchisees and one corporate-level representative acknowledged the problem after being notified. Fowler reported the discovery to Hello Gym, and access to the repository was closed within hours. However, it remains unclear how long the files had been publicly accessible or whether they had been downloaded by unauthorized parties.
Based in Minnesota, Hello Gym specializes in communication and CRM solutions for fitness centers. The incident raises pressing concerns about how third-party providers handle personal data. In his report, Fowler emphasized that businesses must adopt fundamental security practices: encrypting sensitive files, restricting access, deleting outdated data, conducting vulnerability testing, and carefully vetting contractors.
The breach affects members of well-known gym chains, who now face the risk of fraudulent calls. Customers are urged to remain cautious when interacting with supposed “staff” requesting financial information. To reduce risk, experts recommend always verifying the caller’s identity and never sharing bank card numbers or other confidential details over the phone.
