Title: Ultrahuman Reveals Internal Tool Breach Exposed Limited Customer Wellness Data

Wearable technology firm Ultrahuman has disclosed that cybercriminals infiltrated its internal analytics infrastructure by compromising an employee’s login credentials via malware. The India-headquartered company notified impacted users through email on Wednesday, confirming that the security incident took place on March 27.

Ultrahuman, established in 2019, manufactures metabolic health trackers and smart rings, including the popular Ring Air and the recently launched Ring Pro, which features enhanced sensors and improved battery performance. These devices allow consumers to track vital metrics such as recovery, activity levels, and sleep patterns.

According to the startup, its security protocols identified the intrusion rapidly, leading to the immediate isolation of the compromised system and the revocation of all associated access rights. Speaking to TechCrunch, the company clarified that the attackers leveraged stolen credentials from a laptop infected with malware. This breach resulted in the unauthorized access of wellness data belonging to approximately 0.1% of the user base.

While Ultrahuman did not provide a precise count of affected individuals, it acknowledged that based on its reported figure of roughly 700,000 monthly active users, the breach likely impacted at least 700 customers. The firm declined to specify the exact number of users involved.

Mohit Kumar, CEO of Ultrahuman, emphasized the speed of their response in a statement to TechCrunch. “Our security alerting systems detected the incident within hours, and we closed the vulnerability swiftly,” Kumar said. He noted that the company had informed relevant regulators and postponed notifying users while conducting a thorough audit to determine the full extent of the data exposure.

The startup confirmed that sensitive information such as passwords, payment details, production systems, and the physical Ring devices themselves remained secure. However, Ultrahuman refused to disclose whether it had received any communications from the perpetrators or to define precisely what is categorized as “wellness data.”

In an FAQ posted on its website, the company stated that the intruder gained “read-only” access to the specific system. Nevertheless, Ultrahuman did not confirm whether its investigation had determined if any customer data was actually extracted or exfiltrated.

This incident underscores the broader vulnerabilities faced by wellness tracker companies, such as Oura and Ultrahuman, which store user data on centralized servers. This architecture allows access not only to employees and government entities but also potentially to malicious actors.

Ultrahuman has secured approximately $103 million in funding to date, according to Tracxn, with investors including Blume Ventures, Steadview Capital, and Nexus Venture Partners.

Source: TechCrunch Generated at: 2026-06-03 17:30:52 UTC