A threat actor is claiming to be selling an alleged Iron Bodyfit customer database containing information on 382,544 individuals, including personal details, membership records, contact information, and health-related fields.
The listing was published on June 17 and advertises a JSON database allegedly affecting customers across Iron Bodyfit’s international fitness franchise network. Iron Bodyfit operates EMS-based fitness studios in multiple countries, including France, the United States, Canada, Mauritius, and other international markets.
While the claim remains unverified, the threat actor published screenshots that appear to show a large customer database consistent with the information described in the sales listing.
Threat actor claims customer and membership data exposed
According to the listing, the alleged database contains customer profiles, membership information, contact records, billing-related details, gym affiliation data, and account status information.
The threat actor claims the dataset includes names, email addresses, phone numbers, physical addresses, dates of birth, membership plans, contract information, pricing details, payment status information, and associated gym locations.
The listing further alleges that health-related fields are present within customer records, including indicators relating to allergies, diseases, and medications.
If authentic, the combination of personal information, membership records, and health-related data could create elevated privacy risks for affected individuals.
Published screenshots appear to support claim
The threat actor published screenshots that appear to show a JSON database containing approximately 382,540 customer records, closely matching the claimed total of 382,544 customers.
The screenshots reviewed by BreachNews display customer records containing names, email addresses, phone numbers, dates of birth, language preferences, membership details, account status information, and associated gym locations.
A separate screenshot appears to show file metadata indicating a database size of approximately 292MB and a creation date of June 9, 2026, which aligns with the date referenced in the sales listing.
The screenshots also appear to contain records associated with locations in Canada and France, potentially indicating that multiple countries within Iron Bodyfit’s franchise network are represented in the alleged dataset.
While the screenshots provide evidence that a dataset exists, BreachNews has not independently verified that the information originated from Iron Bodyfit or confirmed the full number of records claimed by the threat actor.
Health-related fields increase potential sensitivity
One notable aspect of the alleged dataset is the inclusion of fields associated with customer health information.
According to the listing, records may contain indicators relating to allergies, diseases, and medications. Although the screenshots reviewed by BreachNews did not reveal the full scope of such information, the presence of health-related fields could increase the sensitivity of the alleged exposure.
Depending on the jurisdictions involved and the nature of the underlying data, exposure of health-related information may trigger additional regulatory and privacy obligations.
Organization has not publicly commented
At the time of publication, Iron Bodyfit had not issued any public statement regarding the alleged breach.
The threat actor claims the dataset was collected on June 9, 2026 and contains 382,544 customer records. Those claims have not been independently verified.
While the published screenshots appear consistent with the actor’s description of the dataset, the origin, authenticity, and full scope of the alleged exposure remain unconfirmed.
