Ultrahuman confirms wellness data breach affecting 700 customers
CEO Mohit Kumar states that while no financial or production data was compromised, the company is auditing the full scope of the incident after hackers accessed approximately 0.1% of user accounts.
Wearable health-tech startup Ultrahuman has confirmed that hackers accessed the wellness data of approximately 0.1% of its users, equating to at least 700 customers. The breach occurred on 27 March when attackers stole an employee’s credentials from a malware-infected laptop, gaining read-only access to an internal analytics system. The company informed affected customers of the incident via email on 3 June, following a period where it delayed notification to conduct a thorough audit of the incident's scope.
Ultrahuman, which sells smart rings and metabolic health-tracking devices, stated that it detected the intrusion promptly and took the affected system offline. The startup revoked all access to the compromised analytics tool and confirmed that no passwords, payment information, production systems, or physical devices were compromised. The breach highlights the broader industry practice where wellness tracker startups store user data on servers, allowing access by employees, governments, and malicious actors.
CEO Mohit Kumar confirmed that regulators have been notified and that an audit is underway to determine the full extent of the data exposure. While the company declined to define exactly what constitutes “wellness data” in this context, it clarified that the threat actor obtained only read-only access to the affected system. Ultrahuman also declined to disclose whether its investigation had determined if any customer data was actually exfiltrated from their systems.
Founded in 2019, Ultrahuman is best known for its Ring Air, which competes with the Oura Ring, and recently introduced the Ring Pro with upgraded sensors and battery life. Prior to the breach, the startup reported roughly 700,000 monthly active users. The company has raised around $103 million to date, with investors including Nexus Venture Partners, Steadview Capital, and Blume Ventures.
Ultrahuman did not provide details on whether it received any communication from the hackers responsible for the incident. The company’s security alerting systems detected the breach within hours, allowing the team to close the vulnerability swiftly. As the audit continues, the startup is working to determine the precise nature of the data accessed by the threat actor during the window of unauthorized access.
