I guess, just like the company name.... is Basic.

Or like their equipment maintenance - pretty much non existent.

One of their places near where I live has rowing machines that feel like you're rowing over cobblestones, and have done so for almost a year despite requests to have them fixed.

A gym is a great example of how we've become conditioned to give out personal information unnecessarily, without any real purpose, and without even really thinking about why.

A gym doesn't need home addresses. They aren't shipping packages and they aren't sending letters. It's 2026. Many customers don't even want postal mail and would rather receive communications via email. If a customer won't be receiving packages and won't be receiving letters, then asking them where they sleep "for our records" is just creepy.

Date of birth is also irrelevant. Year of birth and/or age might be relevant, but the month and day isn't (as long as the customer is over 18). It doesn't matter whether you were born on April 13 or October 4.

Phone number should also be optional. What are the chances a human will actually call? How many people will even pick up an unknown number anymore? If a customer's contact preference is email, that should be respected. Email can handle any contact a customer might need from their gym, and email does it better than postal addresses or phone numbers.

None of this data is relevant to the service provided. Customers have just been conditioned to hand it over when a form requires it or a customer rep says, "well, we just need it for our records." Why? Yes, some might say that billing address and phone number are required by payment processors. There's no actual reason for that, either. Those two pieces of data offer very little protection against payment fraud. Lawmakers can and should ban the mindless collection of this data for payment authorization purposes. There's better ways to stop payment fraud, and we should be embracing more secure technologies to cut down on fraud, which costs us all in the form of higher prices and elevated payment processing fees. Customers need to start pushing back against this. Businesses won't shape up and limit collection to necessary data until it starts costing them sales.

That's not quite true.

Gyms exist on making sure you don't do a Trump on the money they squeeze out of you (Basic Fit have come up with an extra user milking trick: you pay every 4 weeks, so people don't realise they actually pay 13 times in a year instead of 12), so they have contracts that they will seek to enforce, even if you only come the first month. Ergo the details - if you cut off the money stream prematurely they have the details to send aggressive payment demands. Age details have to do with their insurance.

However, what they absolutely do NOT need is your phone number, and what they also absolutely should not do is store all of that data in one place. Why is a bank number accessible in the same place? DOB is, I believe, even classified as a special class of PII so that may end up being a fun sized fine, and attendance records may fall in the same category.

Last but not least, their email states that the unauthorised access was discovered "a few minutes after it occurred" (sure, that's why you lost 1M records?) and "no passwords were lost", as if that matters.

> "Age details have to do with their insurance."

Exactly why lawmakers need to step in and take away the excuse that banks or insurance companies "made" a business collect unnecessary personal information.

I use my building's (fairly basic) gym because the commercial gym business model of locking customers into contracts at a place they rarely visit is sleazy.

But recurring billing is a common thing, and there's no technical reason why we can't have a recurring billing standard allowing customers to log into their bank and authorize push payments with a defined amount, frequency, and duration. Let me tell my bank that I'm going to pay you 42 quid, once per month, for the next twelve months, in reference to account #12345. That would cut down on both fraud and consumer disputes.

No password were accessed, they say.

But the dB contained everything else.

So, safe to assume they "only" downloaded the hashed password.

Time to understand your email/passwd pair is compromised, dear customers...

I'm so glad I gave them my work number and an email alias. I'm with quite a good bank so not worried about that part but the fact that they appear to have kept everything in one place ought to get them a fine that will make them sweat a lot more than their gyms will manage

Are the bookies taking action on whether it was MD5 or salted Argon2?

For a different gym the "passwords" are the same as the 8 digit codes used to get into the gym. I suspect at least one of those digits can be calculated from the others. For that gym the hash algorithm doesn't matter. Just create a 100,000,000 entry dictionary.

That gym is a different group though.

I know some gyms were found to be allowing hashing of customers.... if you know what I mean

...It would be a proper (as in, cruel and unusual) punishment to force the criminals to cancel every subscription personally, as well as paying for the cancellation fees.

(Yeah Fat electrician brought it to my attention)