Ultrahuman says hackers gained access to customer health data via an internal tool

Wearable health technology startup Superhuman He said hackers gained unauthorized access to customers’ health data after employee credentials were stolen through malware.

On Wednesday, the India-based startup notified affected customers of the incident via email, noting that the hack occurred on March 27 and involved a system used for internal analytics. The company said it immediately discovered the breach, stopped the affected system from working, and revoked all access to it.

Founded in 2019, Ultrahuman sells smart rings and metabolic health trackers that enable users to monitor metrics like sleep, activity, and recovery. The startup is known for Circular airWhich competes with the Oura Ring and more recently Introduced Ring Pro With upgraded sensors and battery life.

Confirming the incident, Ultrahuman told TechCrunch that attackers gained access using credentials stolen from an employee’s malware-infected laptop, resulting in access to health data belonging to about 0.1% of users.

Based on the number previously announced by the company Nearly 700,000 monthly active usersThis would equate to at least 700 customers whose health data was accessed. Ultrahuman did not dispute this number, but declined to reveal the exact number of affected customers. No passwords, payment information, production systems or Ultrahuman Ring devices were compromised, the company said.

“Our security alert systems detected the incident within hours, and we quickly closed the vulnerability,” Ultrahuman CEO Mohit Kumar said in a statement to TechCrunch.

Kumar added that the startup was notifying regulators and delayed informing affected users while it reviewed the full scope of the incident and determined what data was affected.

Ultrahuman declined to share any details about whether it has received any contact from the hackers responsible for the incident, and did not say what exactly constitutes “wellness data.” The hack highlights how wellness tracking startups, such as Ultrahuman and also Oura, store user data on their servers in a way that allows their employees – as well as governments and malicious hackers – to access customers’ health data.

The startup said in its FAQ published On its website, the threat actor gained “read-only” access to the affected system. However, the company declined to confirm whether its investigation had determined whether any customer data had been leaked.

Ultrahuman counts Nexus Venture Partners, Steadview Capital and Blume Ventures among its investors. The startup has It raised about $103 million So far, per Tracxn.