Ultrahuman reports customer wellness data breach linked to internal tool access

Wearable health technology startup Ultrahuman has disclosed that hackers gained unauthorised access to customer wellness data after stealing credentials from an employee whose laptop was infected with malware.

The India-based company informed affected customers via email on Wednesday, stating that the incident occurred on March 27 and involved an internal analytics system. Ultrahuman said it detected the intrusion quickly, took the affected system offline, and revoked access immediately.

Founded in 2019, Ultrahuman develops smart rings and metabolic health-tracking devices that help users monitor metrics such as sleep, activity, and recovery. The company is best known for its Ring Air, a competitor to the Oura Ring, and recently launched the Ring Pro, which features upgraded sensors and longer battery life.

Ultrahuman confirmed that attackers used credentials stolen from a malware-infected employee device, resulting in access to wellness data belonging to roughly 0.1% of users.

Based on the company’s previously reported figure of around 700,000 monthly active users, that percentage would represent at least 700 customers. While Ultrahuman did not dispute the estimate, it declined to reveal the exact number of affected users.

The company stressed that no passwords, payment details, production systems, or Ultrahuman Ring devices were compromised during the breach.

“Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,” CEO Mohit Kumar said in a statement.

Kumar added that Ultrahuman is notifying regulators and delaying informing customers until it completes an assessment of the incident and identifies the data involved.

The company declined to say whether it had received any communication from the attackers and did not specify what types of information were included in the category of “wellness data.”

The incident highlights ongoing concerns about how wellness-tracking companies such as Ultrahuman and Oura store sensitive user information in centralised systems that employees, government authorities, or cybercriminals could access.

In an FAQ published on its website, Ultrahuman stated that the threat actor had “read-only” access to the affected system. However, the company declined to confirm whether its investigation determined whether any customer information was copied or exfiltrated.

Ultrahuman is backed by investors including Nexus Venture Partners, Steadview Capital, and Blume Ventures. According to Tracxn, the startup has raised approximately $103 million in funding to date.