News
Technology News
Tech News
Ultrahuman says hackers accessed user wellness data through stolen credentials: All you need to know about the breach

Ultrahuman says hackers accessed user wellness data through stolen credentials: All you need to know about the breach

TOI Tech Desk / TIMESOFINDIA.COM / Jun 04, 2026, 10:01 IST

Comments

Text Size

Small
Medium
Large

Ultrahuman says hackers accessed user wellness data through stolen credentials: All you need to know about the breach

Ultrahuman, the India-based wearable technology startup known for its smart rings and health-tracking devices, has disclosed a data breach that exposed wellness data belonging to a small number of customers. The company said hackers gained unauthorized access to an internal analytics system on March 27 after stealing an employee's login credentials through malware installed on a company laptop. Ultrahuman detected the intrusion within hours, took the affected system offline, and revoked access. According to the company, around 0.1% of its users may have been affected, while passwords, payment details, production systems, and Ring devices were not compromised.Sharing information about the data breach, Ultrahuman published a notice, explaining how and when the incident occurred, who were impacted and measures taken by the company. Here’s what it said:Notice of a security incident — March 2026This page is a public record of a security incident that affected Ultrahuman's systems on 27 March 2026. The most important facts first: no passwords, card details, or payment data were involved, and we have found no evidence of misuse.If you received an email from security-2026@ultrahuman.com referencing this incident, your account was part of the affected dataset. The email lists the specific categories of information involved for your account. This page exists to give you a clear public summary of the incident.What happenedOn 27 March 2026, an unauthorised third-party gained read-only access to an internal system used for internal analytics. The access was constrained in scope by the system's design, which did not permit modification or deletion of data. We identified the incident promptly, took the affected system offline, and revoked all access.What information was and was not involvedThe information visible to the unauthorised individual varied by account. The dataset that was accessed contained, depending on the user, contact and account details, order and transaction history, and for a smaller group of users, some fitness related data associated with their product usage and purchases.No passwords, payment or credit card information were accessible or affected by this incident. The Ultrahuman Ring continues to operate normally and to record accurate wellness information.Steps we have takenAfter identifying the incident, we immediately took the affected system offline and revoked all access. We have since implemented the following remediation measures:

Strengthened access control policies across internal systems, including least-privilege access reviews.
Hardened endpoint security on all employee devices, with stricter configuration controls and continuous monitoring.
Increased the frequency of periodic access audits across internal tooling.
Deployed export-volume anomaly detection and alerting on internal systems.
We have also conducted active monitoring of public and other internet channels for any evidence of the publication or further misuse of the accessed information. To date, we have not identified any such publication or misuse.

NotificationsAffected users. All affected users have been notified directly by email on or after 2 June 2026. The email was sent from security-2026@ultrahuman.com with the subject line "A security notice from Ultrahuman about your account." Each email specifies the categories of information visible for the recipient's account.If you believe you may be affected but have not received an email, please write to security-2026@ultrahuman.com for confirmation.Regulatory authorities. Ultrahuman has notified the relevant regulatory authorities under applicable data protection law.What you should doAs a precaution, and as is standard practice after any incident, be alert to phishing attempts. If you receive any unexpected email, SMS, or telephone call referencing Ultrahuman, your orders, or your personal data, please treat it with caution, particularly where it conveys urgency or requests that you click a link.Ultrahuman will not ask you to confirm your password, payment details, or any other personal information by email or SMS.How do I know if I am affectedIf you received an email from security-2026@ultrahuman.com with subject line "A security notice from Ultrahuman about your account" on or after 2 June 2026 about this incident, your account was part of the affected dataset. The email tells you what was visible for your account. If you have an Ultrahuman account but have not received an email, your account was not in the affected dataset. If you are unsure, write to security-2026@ultrahuman.com and we will get back.What information was involvedThis varies by account. The dataset that was accessed contained the kind of information you provided when signing up and using Ultrahuman — such as contact details and order or transaction history. For a smaller group of users, the dataset also contained fitness-related data. Your specific notification email lists the categories applicable to your account.

About the AuthorTOI Tech Desk

The TOI Tech Desk is a dedicated team of journalists committed to delivering the latest and most relevant news from the world of technology to readers of The Times of India. TOI Tech Desk’s news coverage spans a wide spectrum across gadget launches, gadget reviews, trends, in-depth analysis, exclusive reports and breaking stories that impact technology and the digital universe. Be it how-tos or the latest happenings in AI, cybersecurity, personal gadgets, platforms like WhatsApp, Instagram, Facebook and more; TOI Tech Desk brings the news with accuracy and authenticity.

End of Article