Overview
- On March 27, 2026 an unauthorized party accessed an internal analytics system at Ultrahuman using credentials taken from an employee’s malware‑infected laptop, the company has confirmed.
- Ultrahuman says the intruder had read‑only access and that the affected dataset varied by account, including contact and account details, order and transaction history, and fitness‑related data for a much smaller subset of users.
- The startup estimates about 0.1% of users were affected, which equals roughly 700 customers based on its previously reported monthly active user count, and it reports no evidence so far that any accessed data has been published or misused.
- Ultrahuman says its alerting systems detected the intrusion within hours, it took the system offline and revoked access, and it has implemented stronger endpoint and access controls while auditing whether any data was copied.
- The company notified regulators and affected users in early June after completing parts of its audit, and coverage is questioning whether that more‑than‑two‑month delay met India’s CERT‑In six‑hour reporting rule and the DPDP Rules’ prompt notification and 72‑hour reporting requirements.