\n<\/p>\n
Wearable health-tech startup Ultrahuman<\/a> said hackers gained unauthorized access to customers\u2019 wellness data after stealing an employee\u2019s credentials through malware.<\/p>\n On Wednesday, the India-based startup informed affected customers of the incident via email, stating that the breach occurred on March 27 and involved a system used for internal analytics. The company said it detected the intrusion promptly, took the affected system offline, and revoked all access.<\/p>\n Founded in 2019, Ultrahuman sells smart rings and metabolic health-tracking devices that enable users to monitor metrics such as sleep, activity and recovery. The startup is best known for its Ring Air<\/a>, which competes with the Oura Ring, and recently introduced the Ring Pro<\/a> with upgraded sensors and battery life.<\/p>\n Confirming the incident, Ultrahuman told TechCrunch that the attackers gained access using credentials stolen from an employee\u2019s malware-infected laptop, resulting in wellness data belonging to about 0.1% of users being accessed. <\/p>\n Based on the company\u2019s previously reported figure of roughly 700,000 monthly active users<\/a>, that would equate to at least 700 customers who had their health data accessed. Ultrahuman did not dispute this figure, but declined to disclose the exact number of customers affected. The company said no passwords, payment information, production systems, or Ultrahuman Ring devices were compromised.<\/p>\n \u201cOur security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,\u201d Ultrahuman CEO Mohit Kumar said in a statement to TechCrunch.<\/p>\n Kumar added that the startup was notifying regulators and had delayed informing affected users while it audited the full scope of the incident and determined what data had been affected.<\/p>\n Ultrahuman declined to share any details on whether it received any communication from the hackers responsible for the incident, nor say what exactly constitutes \u201cwellness data.\u201d The breach highlights how wellness tracker startups, like Ultrahuman and also Oura, store users\u2019 data on their servers in a way that allows their employees \u2014 as well as governments and malicious hackers \u2014 to access customers\u2019 health data.<\/p>\n The startup said in an FAQ published<\/a> on its website that the threat actor obtained \u201cread-only\u201d access to the affected system. However, the company declined to confirm whether its investigation had determined if any customer data was exfiltrated.<\/p>\n Ultrahuman counts Nexus Venture Partners, Steadview Capital, and Blume Ventures among its investors. The startup has raised around $103 million<\/a> to date, per Tracxn.<\/p>\n<\/div>\n When you purchase through links in our articles, we may earn a small commission<\/a>. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n