Fitness startup Mirror nears $300M valuation with fresh funding

Today, Peloton is a bonafide success. The company, which sells $2,245 internet-connected exercise bikes, boasts a $4 billion valuation and a cult following.

That hasn’t always been the case. For years, Peloton battled for venture capital investment and struggled to attract buyers. Now that it’s proven the market for tech-enabled home exercise equipment and affiliated subscription products, a whole bunch of startups are chasing down the same customer segment.

Mirror, a New York-based company that sells $1,495 full-length mirrors that double as interactive home gyms, is closing in a round of funding expected to reach $36 million, sources and Delaware stock filings confirm, at a valuation just under $300 million. It’s unclear who has signed on to lead the round; we’ve heard a number of high-profile firms looked at Mirror’s books and passed. The company has previously raised a total of $38 million from Spark Capital, First Round Capital, Lerer Hippeau, BoxGroup and more.

Mirror declined to comment for this story.

Like Peloton, Mirror is sold for a hefty fee with a subscription to the service’s unlimited live and on-demand workouts that comes at an additional cost. The company hasn’t disclosed subscriber numbers, though The New York Times reported in February the business was selling $1 million worth of Mirrors — or some 650 units — per month.

The company has not only benefited from the Peloton effect, but also from a near-immediate interest from celebrities and influencers in its product. Kate Hudson, Alicia Keys, Reese Witherspoon, Jennifer Aniston and Gwyneth Paltrow are among the many celebrities to have publicly boasted about Mirror, undoubtedly boosting sales for the up-and-coming startup.

Venture capitalists were quick to show support for Mirror, too; in fact, the business attracted money at a $200 million valuation prior to launching its first product. Mirror began selling its sleek equipment, dubbed by The New York Times as “The Most Narcissistic Exercise Equipment Ever,” in September.

SAN FRANCISCO, CA – SEPTEMBER 06: Mirror Founder and CEO Brynn Putnam (L) and moderator Lucas Matney speak onstage during Day 2 of TechCrunch Disrupt SF 2018 at Moscone Center on September 6, 2018, in San Francisco, California. (Photo by Steve Jennings/Getty Images for TechCrunch)

The round comes amid a distinct boom in funding for fitness-related startups evidenced not only by Peloton’s mammoth valuation and hyped-over initial public offering expected soon but by the rapid uptick in small upstarts looking to capitalize on rising interest in fitness apps and equipment. In total, VCs bet some $2 billion on U.S. fitness startups in 2018, a record amount of funding for the space. So far this year, nearly $500 million has been allocated to the growing sector, per PitchBook, as entrepreneurs strive to bring the gym into the home.

Tonal, which sells personal exercise equipment that combines on-demand training with smart features, is among a small class of venture-backed fitness companies to have accumulated a large following. The company has raised $91.7 million in equity funding at a valuation of $185 million, according to PitchBook, from investors including L Catterton, Shasta Ventures, Mayfield and Sapphire Sport.

When it comes to early-stage efforts, there’s no shortage of recent fundraises. Last week, Livekick, which gives customers access to one-on-one personal training and yoga from their home, closed a $3 million seed round led by Firstime VC. Two weeks ago, fitness startup Future secured an $8.5 million round led by Kleiner Perkins’ Mamoon Hamid. For a $150 monthly fee, Future assigns personalized workout plans and a coach who tracks customers’ fitness activity through an Apple Watch. To keep users committed to their workout regimens, Future sends daily text messages with motivational feedback.

The AI-based personal training company Aaptiv, Plankk, which sells live fitness lessons led by Instagram stars, and audio coaching app Eastnine, have also recently launched.

Mirror was founded in late 2016 by Brynn Putnam, an entrepreneur behind Refine Method, a chain of boutique fitness studios located in New York. The former professional dancer spoke to TechCrunch’s Lucas Matney at Disrupt San Francisco in September about the future of the business.

“[We want] to enhance the human touch rather than to replace it,” Putnam said. “Our goal is not to be the next treadmill in your life, our goal is to be the next screen in your home,” Putnam said.

Ultimately, Putnam added, Mirror plans to scale beyond fitness content with potential extensions including physical therapy, fashion, beauty and education.

“We have the ability to create personalized premium content across a wide range of verticals, with fitness being our first vertical,” Putnam said.

Startups net more than capital with NBA players as investors

If you’re a big basketball fan like me, you’ll be glued to the TV watching the Golden State Warriors take on the Toronto Raptors in the NBA finals. (You might be surprised who I’m rooting for.)

In honor of the big games, we took a shot at breaking down investment activities of the players off the court. Last fall, we did a story highlighting some of the sport’s more prolific investors. In this piece, we’ll take a deeper dive into just what having an NBA player as a backer can do for a startup beyond the capital involved. But first, here’s a chart of some startups funded by NBA players, both former and current.

 

In February, we covered how digital sports media startup Overtime had raised $23 million in a Series B round of funding led by Spark Capital. Former NBA Commissioner David Stern was an early investor and advisor in the company (putting money in the company’s seed round). Golden State Warriors player Kevin Durant invested as part of the company’s Series A in early 2018 via his busy investment vehicle, Thirty Five Ventures. And then, Carmelo Anthony invested (via his Melo7 Tech II fund) earlier this year. Other NBA-related investors include Baron DavisAndre Iguodala and Victor Oladipo, and other non-NBA backers include Andreessen Horowitz and Greycroft.

I talked to Overtime’s CEO, 27-year-old Zack Weiner, about how the involvement of so many NBA players came about. I also wondered what they brought to the table beyond their cash. But before we get there, let me explain a little more about what Overtime does.

Founded in late 2016 by Dan Porter and Weiner, the Brooklyn company has raised a total of $35.3 million. The pair founded the company after observing “how larger, legacy media companies, such as ESPN, were struggling” with attracting the younger viewer who was tuning into the TV less and less “and consuming sports in a fundamentally different way.”

So they created Overtime, which features about 25 to 30 sports-related shows across several platforms (which include YouTube, Snapchat, Instagram, Facebook, TikTok, Twitter and Twitch) aimed at millennials and the Gen Z generation. Weiner estimates the company’s programs get more than 600 million video views every month.

In terms of attracting NBA investors, Weiner told me each situation was a little different, but with one common theme: “All of them were fans of Overtime before we even met them…They saw what we were doing as the new wave of sports media and wanted to get involved. We didn’t have to have 10 meetings for them to understand what we were doing. This is the world they live and breathe.”

So how is having NBA players as investors helping the company grow? Well, for one, they can open a lot of doors, noted Weiner.

“NBA players are very powerful people and investors,” he said. “They’ve helped us make connections in music, fashion and all things tangential to sports. Some have created content with us.”

In addition, their social clout has helped with exposure. Their posting or commenting on Instagram gives the company credibility, Weiner said.

“Also just, in general, getting their perspectives and opinions,” he added. “A lot of our content is based on working with athletes, so they understand what athletes want and are interested in being a part of.”

It’s not just sports-related startups that are attracting the interest of NBA players. I also talked with Hussein Fazal, the CEO of SnapTravel, which recently closed a $21.2 million Series A that included participation from Telstra Ventures and Golden State Warriors point guard Stephen Curry.

Founded in 2016, Toronto-based SnapTravel offers online hotel booking services over SMS, Facebook Messenger, Alexa, Google Home and Slack. It’s driven more than $100 million in sales, according to Fazal, and is seeing its revenue grow about 35% quarter over quarter.

Like Weiner, Fazal told me that Curry’s being active on social media about SnapTravel helped draw positive attention and “add a lot of legitimacy” to his company.

“If you’re an end-consumer about to spend $1,000 on a hotel booking, you might be a little hesitant about trusting a newer brand like ours,” he said. “But if they go to our home page and see our investors, that holds some weight in the eyes of the public, and helps show we’re not a fly-by-night company.”

Another way Curry’s involvement has helped SnapTravel is in terms of the recruitment and retainment of employees. Curry once spent hours at the office, meeting with employees and doing a Q&A.

“It was really cool,” Fazal said. “And it helps us stand out from other startups when hiring.”

Regardless of who wins the series, it’s clear that startups with NBA investors on their team have a competitive advantage. (Still, Go Raptors!)

Flipboard hacks prompt password resets for millions of users

Social sharing site and news aggregator Flipboard has reset millions of user passwords after hackers gained access to its systems several times over a nine-month period

The company confirmed in a notice Tuesday that the hacks took place between June 2, 2018 and March 23, 2019 and a second time on April 21-22, 2019, but the intrusions were only detected a day later on April 23.

Hackers stole usernames, email addresses, passwords and account tokens for third-party services. According to the notice, “not all” Flipboard users’ account data were involved in the breaches but the company declined to say how many users were affected.

Flipboard has more than 150 million monthly users.

“We’re still identifying the accounts involved and as a precaution, we reset all users’ passwords and replaced or deleted all digital tokens,” the notice read.

Although the passwords were unreadable, Flipboard said passwords prior to March 14, 2012 were scrambled using the older, weak hashing SHA-1 algorithm.. Any passwords changed after are scrambled using a much stronger algorithm that makes it far more difficult to reveal in a usable format.

The hacks also exposed account tokens, which gives Flipboard access to data from accounts on other services, like Facebook, Google, and Samsung.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts,” said the statement. “As a precaution, we have replaced or deleted all digital tokens.”

Flipboard becomes the latest tech giant to be hit by hackers in recent months. Developer platform Stack Overflow earlier this month confirmed a breach involved some user data. Canva, one of the biggest sites on the internet, was also hacked. Last week, the Australia-based company admitted close to 140 million users had data stolen following the breach.

Read more:

Google says some G Suite user passwords were stored in plaintext since 2005

Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

No consumer Gmail accounts were affected by the security lapse, said Frey.

“To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google has more than 5 million enterprise customers using G Suite.

Google said it also discovered a second security lapse earlier this month as it was troubleshooting new G Suite customer sign-ups. The company said since January it was improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. Those systems, Google said, were only accessible to a limited number of authorized Google staff, the company said.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey.

Google said it’s notified G Suite administrators to warn of the password security lapse, and will reset account passwords for those who have yet to change.

A spokesperson confirmed Google has informed data protection regulators of the exposure.

Google becomes the latest company to have admitted storing sensitive data in plaintext in the past year. Facebook said in March that “hundreds of millions” of Facebook and Instagram passwords were stored in plaintext. Twitter and GitHub also admitted similar security lapses last year.

Read more:

After breach, Stack Overflow says some user data exposed

After disclosing a breach earlier this week, Stack Overflow has confirmed some user data was accessed.

In case you missed it, the developer knowledge sharing site confirmed Thursday a breach of its systems last weekend, resulting in unauthorized access to production systems — the front-facing servers that actively power the site. The company gave few details, except that customer data was unaffected by the breach.

Now the company said the intrusion on the website began about a week earlier and “a very small number” of users had some data exposed.

“The intrusion originated on May 5 when a build deployed to the development tier for stackoverflow.com contained a bug, which allowed an attacker to log in to our development tier as well as escalate their access on the production version of stackoverflow.com,” said Mary Ferguson, vice president of engineering.

“This change was quickly identified and we revoked their access network-wide, began investigating the intrusion, and began taking steps to remediate the intrusion,” she said.

Although the user database wasn’t compromised, “we have identified privileged web requests that the attacker made that could have returned IP address, names, or emails” for some users.

The company didn’t immediately quantify how many users were affected. Stack Overflow has 10 million registered users. Spokesperson Khalid El Khatib said “approximately 250 public network users” were affected. Ferguson said affected users will be notified.

Stack Overflow’s teams, business and enterprise customers are on separate, unaffected infrastructure, she said, and there’s “no evidence” that those systems were accessed. The company’s advertising and talent business is said to be unaffected.

In response to the incident, the company terminated the unauthorized access and is conducting an “extensive” audit of its logs to gauge the level of access gained by the attacker.

Read more:

Stack Overflow confirms breach, but customer data said to be unaffected

Developer knowledge sharing site Stack Overflow has confirmed hackers breached its systems, but said customer data is unaffected.

“Over the weekend, there was an attack on Stack Overflow,” wrote Mary Ferguson, vice president of engineering. “We have confirmed that some level of production access was gained on May 11.”

“We discovered and investigated the extent of the access and are addressing all known vulnerabilities,” said Ferguson. “We have not identified any breach of customer or user data,” she said.

An investigation into the breach is ongoing.

The company otherwise remained tightlipped about the breach, its cause, and the effect. We’ve sent several questions to the company but did not immediately hear back.

Stack Overflow, founded in 2008, has more than 50 million developer members who use the site to share code and knowledge. It remains one of the top 50 most popular sites on the web, according to rankings by internet analytics site Alexa. The company is backed by Andreessen Horowitz and Bezos Expeditions, raising $40 million in its most recent Series D funding round in 2015.

Read more:

Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone

A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids, and track vehicles — contains security flaws, which security researchers say are so severe the device should be recalled.

The Chinese manufactured white-label location tracker, rebranded and sold by over a dozen companies — including Pebbell by HoIP Telecom, OwnFone Footprint, and SureSafeGo — uses a SIM card to connect to the 2G/GPRS cell network. Although none of the devices have internet connectivity and won’t be found on exposed device database sites like Shodan, they can still be remotely accessed and controlled by SMS.

Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a  keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless.

Although the device can be protected with a PIN, it’s not enabled by default. Worse, the researchers found the device can be remotely reset without needing a PIN — opening up the device to further commands.

“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”

An attacker only requires the phone number of the device, Mabbitt told TechCrunch. His team showed it was easy to extrapolate hundreds of working phone numbers connected to vulnerable devices based off a single known device. “We made the assumption that these numbers were purchased in a batch,” said the team’s write-up.

The team bought a device and allowed TechCrunch to verify their findings. With a single command, we got a text message back in seconds with the precise co-ordinates of its location. We could also pull other information from the device, including its IMEI number and battery level.

The phone call trick, which Mabbitt called a “glorified wiretap,” also worked.

One text message to a vulnerable device, bought by the security researchers, allowed us to remotely grab its real-time coordinates. The geolocation was precise to a few meters. (Image: TechCrunch)

There are an estimated 10,000 devices are in the U.K. — and thousands more around the world. The team told several of the device makers of the flaws, but Mabbitt said there’s no way to fix the vulnerabilities without recalling every device.

“Fixing this broken security would be trivial,” said the team. “All they needed to do was print a unique code on each pendant and require that to be used to change configurations. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts.”

The U.K. just last week announced a proposed new cybersecurity law that would require connected devices to be sold with a unique password, and not a default.

None of the device sellers we contacted responded to a request for comment.

Read more:

Samsung spilled SmartThings app source code and secret keys

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens. (Image: supplied).

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

Job recruitment site Ladders exposed 13 million user profiles

Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.

The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data. Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.

Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.

Marc Cenedella, chief executive, confirmed the exposure in a brief statement. “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” he said.

TechCrunch verified the data by reaching out to more than a dozen users of the site. Several confirmed their data matched their Ladders profile. One user who responded said they are “not using the site anymore” following the breach.

Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.

A partial record (redacted) including a person’s name, address, phone number, job description and details of their security clearance (Image: supplied)

Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.

Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.

The database contained years’ worth of records.

Some records included their work authorizations, such as whether they are a U.S. citizen or if they are on a visa, such as an H1-B. Others listed their U.S. security clearance alongside their corresponding jobs, such as telecoms or military.

More than 379,000 recruiters’ information was also exposed, though the data wasn’t as sensitive.

Security researcher Jain recently found a leaking Wi-Fi password database and an exposed back-end database for a family-tracking app, including the real-time location data of children.

Read more:

Developers can now verify mobile app users over WhatsApp instead of SMS

Facebook today released a new SDK that allows mobile app developers to integrate WhatsApp verification into Account Kit for iOS and Android. This will allow developers to build apps where users can opt to receive their verification codes through the WhatsApp app installed on their phone instead of through SMS.

Today, many apps give users the ability to sign up using only a phone number — a now popular alternative to Facebook Login, thanks to the social network’s numerous privacy scandals that led to fewer people choosing to use Facebook with third-party apps.

Plus, using phone numbers to sign up is common with a younger generation of users who don’t have Facebook accounts — and sometimes barely use email, except for joining apps and services.

When using a phone number to sign in, it’s common for the app to confirm the user by sending a verification code over SMS to the number provided. The user then enters that code to create their account. This process can also be used when logging in, as part of a multi-factor verification system where a user’s account information is combined with this extra step for added security.

While this process is straightforward and easy enough to follow, SMS is not everyone’s preferred messaging platform. That’s particularly true in emerging markets like India, where 200 million people are on WhatsApp, for example. In addition, those without an unlimited messaging plan are careful not to overuse texting when it can be avoided.

That’s where the WhatsApp SDK comes in. Once integrated into an iOS or Android app, developers can offer to send users their verification code over WhatsApp instead of text messaging. They can even choose to disable SMS verification, notes Facebook.

This is all a part of WhatsApp’s Account Kit, which is a larger set of developer tools designed to allow people to quickly register and log in to apps or websites using only a phone number and email, no password required.

This WhatsApp verification codes option has been available on WhatsApp’s web SDK since late 2018, but hadn’t been available with mobile apps until today.