Ask HN: My full name and address are in a spam email, sent to my iFit mail alias

27 points by appel ↗ HN
Sorry for the weirdly worded title, had to cram a lot in there whilst staying below the char limit.

My wife and I have been subscribed to the iFit family plan for about three years. I just received an obvious spam message, but the concerning thing is that it was sent to the gmail alias I exclusively use for iFit (myname+ifit.com@gmail.com), and the body contains my full name and address. Luckily, the phone number is not correct.

https://i.imgur.com/U3vptQq.png

Am I right to be a little freaked out about this? Or is there a perfectly good explanation?

Edit: When I think about it there are quite a few ways this could have happened.

- iFit sold my data (unlikely but not unprecedented)

- My iFit account was compromised

- My Bitwarden account was compromised

- My Gmail account was compromised

- My computer was compromised?

- The data in the spam message was compiled from a few different sources.

24 comments

[ 3.1 ms ] story [ 58.3 ms ] thread
I think that you are right to be concerned.
For sure.
Oh, I am.
Maybe the EU can do something for you?
I'm in the US, unfortunately.
File a complaint with the Federal Trade Commission
Excellent suggestion, will do.
Not sure why you think it's unlikely, they told you they would in their privacy policy.

"We may disclose or share your personal data to entities other than iFIT for a business purpose"

https://www.ifit.com/privacy-policy

Fair point. But email, full name and address? That does not seem sustainable for the long term to me.
Given the targeted nature of the email (fake fitness related invoice associated with email address used by fitness service) it looks like someone's ended up with a long list of iFit user details, almost certainly via illicit means
Agreed, that makes the most sense to me too. Which, if true, would be pretty bad. Besides contacting iFit, any suggestions on how I should proceed (if at all)?
Report it to CISA.gov and your attorney general. If it happened to you, it likely happened to a large number of other customers as well.
More than likely iFit.

I don't think they're doing so hot after the Peloton lawsuit, and anecdotally getting their support to answer a simple email takes months. My last conversation with them by phone basically ended with the agent saying "go ahead and initiate a charge-back with your credit card, because even though you should be refunded my hands are tied".

Oof, that doesn't sound promising. I contacted them via Twitter DM, but they brushed me off. I doubt I'll fare better via official channels but I'll try tomorrow.
I had something like this happen with a VoIP provider (I don't quite know how to describe them, but they're like Twilio where you can 'code the phone' sort of thing) and my unique email address. Reported it to them out of concerns their system was breached, explained the unique email address situation and was given nothing but denial in return and ultimately got nowhere.

Sucks, but I guess it is what it is :/. This was a while ago so it's fuzzy but I just ended up not using them anymore/not going forward with them.

Sucks for sure, especially not knowing the origin. I reported it to iFit via Twitter DM, but that didn't really go anywhere. I'll try official channels tomorrow, just in case, but I won't be holding my breath.
My guess – iFit sold your data in the advertising and tracking market, which you allowed by signing their ToS. Over there it was exchanged between many faceless data brokers, credit agencies, banks, advertisers and more, again fully legally. Pretty much everyone reading this thread and using the internet in general has their personal info floating around in such markets.

From there, your specific bit of data took a path that was, whether knowingly or unknowingly, leaked/sold to someone running outright phishing scams. This part is rare, because the data is a valuable commodity and using it for such pointless (and illegal) purposes would be counter to the best interests of everyone in these ecosystems.

How serious is it? Well, there are people out there with all the info you put in your iFit account. How severe you consider that depends on a bunch of factors, and could be different for everyone.

I'd say that's a pretty good guess. I absolutely signed their ToS and I for sure did not read any of it before signing, so egg on my face.

But if this is in fact what happened, I'd be curious to know how much money my name, email and address sold for. A dollar? 2 bucks? Let's go crazy and say it's $5. As far as I know there are no free tiers at iFit. I pay $396 a year for my family account. This incident severely undermines my trust in them. I'm no sales/marketing guru, but selling paying customer's data for pennies on the dollar seems like a severely ham-fisted move to me.

I suspect they (at least the company, as opposed to an employee with database access) didn't sell it. Not only is your SaaS sub far more profitable than selling email addresses on the darknet, selling contact information to third parties is also inconsistent with other details of their privacy policy and likely illegal and subject to fines in most of Europe. Not that losing your data shouldn't still undermine your trust in them.
Most US states publish property tax information. This includes the full name of the property owners, their full address, the amount of property tax levied, and the purchase price of the home. So none of that information should be considered private. Phone numbers were also quite public in the phone book days of my childhood. Cell phones changed this a bit but I wouldn’t consider them private either. Food for thought.
I take your point, but my issue is more with the fact that I can point to the recipient email address of the email and make a pretty good case that my name, address and email address all originated from iFit, either by them selling my data, or by their systems being breached.

Another user also pointed out that the fake invoice was for exercise equipment - the same general category as iFit. I don't think that is a coincidence.

Your privacy is very important for us. (i.e. we make a lot of money out of it). /s

Google is not privacy.

I've gotten a LOT of these, either your data was sold or compromised. Easy to spot where the data came from because they are sent to masked email addresses (notice they sent it to your `+ifit` address) which makes me think iFit was compromised (not Gmail).

Change your password and email for iFit, poison your data (put in fake names/info if you can). Search your email at the haveibeenpwned website and it will return any data leaks it was a part of.

If you're into scam-baiting, call the number (ideally with a fake/VOIP number) they provided and play along with the scam until they realize you're bullshitting. Do it enough times and your email is removed from their spam list. For extra fun, post the number to r/scambait and they will be inundated with calls for a while.