Smart Fit data breach exposed via unsecured smart turnstile system

Customer personal data including documents and photos of gym members was exposed, potentially enabling identity fraud, targeted crimes, and physical security threats.
An unlocked door to names, documents, and photos of every member
How the exposed IP address functioned as a gateway to customer data at a Smart Fit gym location.

In the connected city, even the door to a gym can become a window into someone's life. A security researcher in Brazil discovered that a Smart Fit turnstile system had left its internet address unguarded, allowing anyone to reach inside and retrieve the names, documents, and faces of gym members — and even unlock the door itself. The incident, resolved within hours of public disclosure on May 25, 2026, raises a question that echoes far beyond one São Paulo fitness chain: when the physical and digital worlds are woven together, who is truly responsible for the threshold between them?

  • A publicly exposed IP address turned a gym turnstile into an open portal — anyone online could access member identities, photos, and entry records without a password or credential.
  • Security researchers posted live evidence on social media, including a working dashboard built with AI tools that displayed real member data, accelerating both awareness and potential misuse.
  • The window of exposure remained undefined — no one could say how long the vulnerability had existed, how many members were affected, or whether anyone malicious had already walked through.
  • The leaked data carried physical danger: geolocation tied the breach to a specific São Paulo neighborhood, giving bad actors a map of people's routines, faces, and a way into the building.
  • Smart Fit confirmed the fix but offered no specifics on affected members, notifications, or accountability — leaving its obligations under Brazil's LGPD data protection law unresolved and customers in the dark.

On the afternoon of May 25, a security researcher known as Clandestine noticed something that should not have been visible: the internet address of a Smart Fit gym's intelligent turnstile, sitting open and unprotected on the public web. Through that exposed address, anyone could retrieve the names, identification documents, and profile photos of gym members, and even grant themselves physical access to the building. Clandestine posted the finding on X at 3:59 p.m., calling on Smart Fit to act.

Hours later, a second researcher named Hiago Felipe published a more detailed demonstration — a dashboard, built using AI-assisted coding techniques, that displayed what appeared to be real member data: documents, user IDs, membership types, and precise entry timestamps. By 9:25 p.m. that same evening, the IP address had gone dark. But the damage window remained unknown. No one could confirm how long the system had been exposed, which specific location was affected, or whether anyone had already harvested the data.

The stakes extended well beyond a typical data leak. An IP address geolocation pointed to a neighborhood near Viaduto do Chá in São Paulo, home to at least two Smart Fit locations. Combined with member photos and documents, that information could enable identity fraud, targeted robbery, or stalking — a gym's member database being, in effect, a map of people's faces, routines, and whereabouts. The turnstile manufacturer, IntegraFácil IOT Solutions, did not respond to requests for comment.

Smart Fit confirmed the incident to TecMundo, describing it as "promptly detected and corrected," and noted that gym operations were uninterrupted. The company offered no details about how many members were exposed or how it planned to notify them. Under Brazil's LGPD, the company is obligated to report the breach to the national data protection authority and inform affected individuals. Brazilian courts have recently held, however, that customers seeking compensation must demonstrate concrete harm — meaning that for many members, the most troubling uncertainty may be whether they will ever learn their data was at risk at all.

On Monday afternoon, a security researcher using the handle Clandestine discovered that a Smart Fit gym's intelligent turnstile system was broadcasting its internet address to anyone who knew where to look. The exposed IP address, which should have been locked behind layers of security, instead sat open on the public internet like an unlocked door. Through that door, an intruder could pull the names, identification documents, and profile photos of every gym member who had swiped in at that location. They could also grant themselves entry whenever they wished.

Clandestine posted the discovery on X at 3:59 p.m. on May 25, including evidence of the vulnerability and a direct request that Smart Fit fix it. By 7:17 p.m. that same day, another researcher named Hiago Felipe had published a more detailed demonstration. His post showed a dashboard displaying what appeared to be member information from the affected gym—documents, unique user identification numbers, membership types, and the exact times people had entered through the turnstile. The tool had been built using artificial intelligence techniques, a method sometimes called "vibecoding."

Within hours of these public disclosures, the IP address went dark. By 9:25 p.m., it was no longer accessible. Yet the damage window remained unclear. No one could confirm how long the turnstile had been exposed, which specific gym location had been compromised, or how many members' information had been accessed. The company that manufactured the turnstile system, IntegraFácil IOT Solutions, did not respond to requests for comment.

To understand why this mattered so much, consider what an IP address actually is. It functions like a street address for devices on the internet—a way for one machine to find and communicate with another. Most IP addresses are either public or restricted to people with proper credentials. In this case, the Smart Fit turnstile's address was public, meaning anyone on the internet could attempt to interact with it. And because it controlled access to a physical location and held personal data, the consequences extended far beyond the digital realm. The exposed IP address could be traced to a location near Viaduto do Chá in São Paulo, where at least two Smart Fit locations operate. Someone with the right knowledge could use that information not just to steal identities, but to track members, follow them, or break into their homes.

The data itself—names, documents, photos—has immediate market value on the dark web. Criminals buy and sell such information to build elaborate fraud schemes or to populate databases used for targeted crimes. But in this case, the exposure created an additional layer of danger. A gym is a high-traffic commercial space, and its member database is a map of people's routines and locations. That information, combined with the ability to physically access the building, opened possibilities for stalking, robbery, or worse.

When TecMundo contacted Smart Fit, the company confirmed the incident and stated that the problem had been "promptly detected and corrected." The gym's operations continued without interruption. The company did not identify which location had been affected, and it offered no details about how many members were exposed or what steps it was taking to notify them. Smart Fit's statement emphasized its "continuous investments" in security improvements but provided no timeline or specifics.

Under Brazil's General Data Protection Law, known as the LGPD, companies must notify the National Data Protection Agency when customer data is breached. They must also inform affected individuals and offer remedies. Smart Fit's obligation to comply with these requirements remains active. However, Brazilian courts have recently ruled that customers seeking monetary compensation must prove they suffered actual harm from the breach—the exposure of data alone does not automatically entitle them to payment. For the members of that Smart Fit location, the question now is whether they will ever know their information was at risk, and whether they can demonstrate concrete damage if they choose to pursue legal action.

The situation was promptly detected and corrected, without impact to the continuity of operations
— Smart Fit official statement
The Hearth Conversation Another angle on the story
Inventor

Why does an exposed IP address matter more than, say, a stolen password list?

Model

Because an IP address is a physical location marker. It's not just data—it's a map. Someone with that address can find the building, watch who comes and goes, time their routines. A password list is valuable for fraud. An IP address tied to a gym membership database is valuable for crimes that happen in the real world.

Inventor

The article mentions the IP was traced to São Paulo. How precise is that geolocation?

Model

Precise enough to narrow it down to a neighborhood. The source points to Viaduto do Chá, and there are at least two Smart Fit locations within a few blocks. So while you might not know the exact gym, you know the area and the type of building. For someone planning a crime, that's enough.

Inventor

Smart Fit said the problem was "promptly corrected." Do we know how long it was actually exposed?

Model

No. That's one of the gaps in the reporting. The researcher found it on Monday afternoon. It was closed by late evening. But we don't know if it had been open for days, weeks, or months before that. Smart Fit hasn't said, and the company that built the system hasn't responded at all.

Inventor

What happens to the members whose data was exposed?

Model

Legally, they have to prove they were harmed to get compensation. Just having your documents and photos stolen doesn't automatically qualify. They'd need to show they were victims of fraud, identity theft, or some other concrete damage. Many will never know their data was exposed.

Inventor

Is this a Smart Fit problem or an IntegraFácil problem?

Model

Both. IntegraFácil built the system, but Smart Fit deployed it and is responsible for securing it. The manufacturer hasn't commented, and that silence is telling. Someone has to answer for why a security system was left open to the internet.

Contact Us FAQ