My Fitness Pal, Apollo.io and others fall victim of data leaks.
09 May 2021BREACHAWARE HQ
A total of 22 breach events
were found and analysed resulting in 108,777,517 exposed accounts
containing a total of 15 different data types of personal datum
. The breaches found publicly and freely available included My Fitness Pal, Apollo.io, Romwe, Des Complica and EyeEm. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Financial Data, Technical Data, Behavioural Data, Socia-Demographic Data, Locational Data, Transactional Data, Documentary Data.
Data Breach Analysis
MyFitnessPal, a health and fitness tracking application owned by Under Armour, represents one of the most significant breaches in the group, both in scale and sensitivity. As a platform used by millions to monitor dietary habits, exercise routines, and weight loss progress, it handles more than just email addresses and passwords. For users, there is a risk that accounts reused across platforms could become vulnerable, and for researchers, this breach remains a case study in how health-adjacent services manage security and disclosure.Apollo.io, a B2B lead generation platform, is a very different case in nature and impact. This service aggregates large datasets containing business contacts, making use of publicly available information as well as proprietary data. While this data may have been considered “public” in nature by Apollo, the exposure en masse, without consent, significantly alters its impact. It has implications for unsolicited outreach, identity association, and competitive intelligence. Furthermore, many of the individuals in Apollo's data may not have been aware they were included, underscoring persistent questions around data ethics in the B2B marketing ecosystem.
Romwe, a fast-fashion e-commerce retailer known for its younger demographic and low-cost offerings, contributes to the retail-focused dimension of the breaches. Romwe's data, in the context of a breach, may not seem sensitive on the surface, but combined with other identifiers, it adds to a broader profile that can be leveraged in phishing or fraud schemes, particularly among less technically experienced users.
Descomplica, an educational platform primarily serving Brazilian students with online coursework, exam preparation, and remote classes, introduces a new domain to the breach narrative: EdTech. While the specifics of the Descomplica breach may not include highly sensitive data, the targeting of student and academic platforms raises questions about educational cybersecurity readiness in Latin America and beyond.
EyeEm, a photography community and stock photo platform, is often used by both hobbyists and professionals to share and monetise visual content. As with many creative platforms, user handles are often reused across forums or portfolios, allowing for connections to be made across otherwise unrelated services. For affected users, the exposure of their EyeEm profile may not seem alarming, but in the right context, even simple data points like usernames or bio links can become leverageable identifiers.
The dataset as a whole comprises 15 different types of personal information. While not all types would be present for each individual account, the total spread of data types indicates a wide-reaching and heterogeneous collection of compromised details. The significance of such a diverse dataset lies in the ability to cross-reference. A user may be relatively safe if their email address appears once in isolation, but if the same email appears in multiple breaches with slightly different accompanying information, an IP address here, a job title there, the compound risk escalates. Threat actors often use such intersections to build out robust profiles, either for direct attack (credential stuffing, phishing) or for sale on illicit marketplaces.
A large number of breaches being available publicly also means they are accessible to non-sophisticated actors. The barrier to entry for malicious use is lower when the data is already indexed, unpacked, and downloadable. Open-source intelligence (OSINT) practitioners, social engineers, and even data brokers frequently exploit these datasets not for hacking, but for targeted research, impersonation, or profiling.
The fact that services as varied as a fitness tracker, an education platform, a fashion retailer, and a photo-sharing app can all appear in the same list demonstrates the broad and persistent reach of breach events. These are not isolated to any one region, industry, or user base. Instead, they paint a picture of a digital ecosystem where user data is distributed across dozens of apps and platforms, each with its own security posture and risk surface. That data, once compromised, enters a long life of exposure and potential repurposing, regardless of the user's current engagement with the platform in question.
For organisations, the indirect consequences of these breaches may be reputational, especially if the data is associated with poor password storage practices or late disclosure. For users, the reality is often quieter and more persistent, more spam, more targeted scams, or unusual login attempts. For regulators and digital rights advocates, it’s another chapter in the long-standing debate about how data is collected, who owns it, and what happens when it's lost.
As this dataset joins the vast backlog of exposed information circulating in the public sphere, it becomes part of a broader archive, one that increasingly reflects not just snapshots of user data, but behavioural and professional trends, regional demographics, and long-term usage habits. The trend is not only ongoing but accelerating.