Researcher Finds 1.6M Gym Call Recordings

Raising Privacy and Voice-Security Concerns

A security researcher says they uncovered an internet-facing storage bucket tied to Hello Gym, a Minnesota company that provides communications and lead-management tools to fitness businesses. The repository—open to the public with no password and no encryption—contained 1,605,345 MP3 files of calls and voicemails believed to span 2020 through 2025. In spot checks, the clips referenced member names, phone numbers, and call reasons such as billing questions, payment updates, and membership renewals. After notifying Website Planet and contacting a corporate privacy team from one affected brand, franchisees confirmed a third-party platform was in use; the vendor was identified as Hello Gym, and access to the bucket was locked down within hours. It remains unclear how long the trove was exposed or whether anyone else retrieved the data—only a formal forensic review could answer that.

While several major gym brands surfaced in the recordings, corporate representatives said their central systems do not record audio; instead, independent franchise locations had adopted the third-party solution. File structure and metadata were consistent with Hello Gym’s VoIP/call-recording workflows (the company markets call handling, automated follow-ups, and sales tools to studios). Beyond the clear PII exposure, the audio presents potent social-engineering fuel: a criminal could impersonate staff, cite exact dates and membership specifics from a voicemail, and pressure a member for “updated card details” or a bogus cancellation fee. Some calls reportedly captured employee verification steps—names, location or gym numbers, even passwords read aloud to customer support—creating opportunities for account changes by impostors. One recording involved a manager giving credentials to disable a security alarm for testing, information that could be abused to attempt after-hours entry. The cache also raises biometric questions: short snippets are enough for AI voice cloning, a tactic seen in recent high-dollar frauds. In the U.S., the FTC has noted that voice recordings can constitute biometric information when voiceprints identify individuals, and states including Illinois (BIPA), Texas, Washington, and California treat certain voice data as sensitive.

Why it matters

Audio leaks combine who called, what they needed, and when—context that makes phishing and vishing lures unusually convincing. When recordings also reveal staff processes or credentials, the risk expands from privacy harm to operational misuse. Unlike text files, voice is a biometric; once copied, it can be cloned and replayed across channels to defeat human trust.

Guidance for members and staff

Treat unsolicited billing or account calls with caution, even if the caller knows real details. Hang up and call back using official numbers from the gym’s site or app. Prefer secure portals for payments and updates rather than sharing information by phone. Establish family or team codewords for urgent requests, and harden personal accounts (MFA, up-to-date devices) to reduce fallout from follow-on scams.

Actions for gyms, franchisees, and vendors

Secure storage immediately: remove public access, require authentication, and enable encryption at rest.
Reduce and isolate data: keep only what’s necessary, archive older recordings off the public internet, and segregate from other systems.
Eliminate sensitive capture: don’t record passwords, PINs, or alarm codes; move verification into controlled channels.
Lock down VoIP/admin tools: enforce MFA, rotate keys, restrict by role and IP, and log/alert on anomalies.
Test and monitor: schedule external attack-surface checks, routine pen tests, and continuous access monitoring.
Vet third parties: request proof of controls (e.g., SOC 2/ISO 27001), clear retention policies, and incident-response commitments.

The researcher stresses these scenarios are illustrative and educational; there is no claim that Hello Gym’s customers or members were actually targeted. The database was secured promptly after responsible disclosure, and no wrongdoing is alleged. The researcher does not download or retain data, capturing only minimal screenshots for verification, and publishes to encourage stronger data-protection practices.