The gym chain Basic-Fit has suffered a serious security breach that has left exposed the personal and banking data of approximately one million users in different European countries, including Spain, France, Germany and the Netherlands.
According to what the company itself has informed those affected, the cybercriminals would have accessed sensitive information such as names and surnames, addresses, email addresses, phone numbers, dates of birth and bank details, in addition to details linked to the users' activity within the company's platform.
Among the compromised information also appear elements related to customer membership, such as the type of subscription, the payment balance, internal identifiers, and records of recent visits to the sports centers. Even technical data such as the device used to access or validate access to the gyms would have been exposed.
The company has assured, however, that the service passwords have not been affected and that the affected system was exclusively linked to the access log, without impact on other internal platforms of the company.
The unauthorized access would have occurred last April 8, at which point the monitoring systems detected the intrusion and proceeded to block it. Basic-Fit maintains that the vulnerability was corrected "a few minutes after" being identified.
From the company, they point to an already rectified security flaw and underline that the attackers have not contacted the company nor is there record that the data has been published or resold on the network.
Alert for possible frauds and identity theft
Although the company has informed users that it is not necessary to take immediate measures, it has warned of the risk of phishing attempts derived from the leak. This type of attack is based on the impersonation of companies to deceive victims and obtain financial information or personal credentials.
Cybersecurity experts warn that the combination of leaked data —such as names, phone numbers, and usage habits— can facilitate more sophisticated fraud campaigns, with personalized messages that seek to generate trust or urgency in those affected.
The authorities recommend exercising extreme caution before any suspicious communication and, in case of doubt, contacting the bank or reporting the incident to the Police. The National Cybersecurity Institute reminds that it has the free telephone number 017 for advice on cybersecurity matters.