Ultrahuman confirms hackers reached customer wellness data
Ultrahuman, the India-based smart ring maker behind the Ring Air and the newer Ring Pro, has confirmed that hackers got into customer wellness data. The company started emailing affected users on Wednesday (June 3), according to a new report.Here’s what went down: the hack took place on March 27 and hit an internal analytics system, not the rings or the core product. The attackers got in using login credentials swiped from an employee’s malware-infected laptop.
Ultrahuman says it caught the breach within hours, pulled the affected system offline, and revoked access. CEO Mohit Kumar said the company’s alerting systems flagged the incident fast and the hole was closed.
The Ring Air tracks sleep, heart rate, and recovery, the kind of intimate health data the breach touched. | Image by Ultrahuman
How many people were actually affected
By Ultrahuman’s own math, the breach touched roughly 0.1% of its users. That sounds tiny until you run the conversion.
The company has previously reported around 700,000 monthly active users, which puts the floor at about 700 people who had health data accessed. Ultrahuman didn’t dispute that number, but it also wouldn’t say exactly how many customers got hit.
What’s confirmed safe: no passwords, no payment information, no production systems, and no actual Ring devices were compromised. The company also says the attacker only had “read-only” access to the system.
Why this matters more than the numbers suggest
A 700-person breach won’t make global headlines, and that’s exactly why it’s worth talking about. The real story is what these devices know about you.
Smart rings like Ultrahuman’s, and rival Oura, store your health data on company servers in a way that lets employees, governments, and bad actors potentially reach it. We made that point when Oura kept pushing harder into the US market, and it applies double here. A smartwatch tracks your steps. A health ring profiles your body.
The reaction from owners tells its own story. On Reddit, one ring user who got the breach email wrote that Ultrahuman insists only their email leaked, but added that given the company’s track record, they’d bet more was taken than the company is admitting.
A SmartRings subreddit user reacts to receiving Ultrahuman’s breach notification email. | Image by Reddit
That skepticism isn’t coming out of nowhere. It should be noted that Ultrahuman has been in aggressive expansion mode, fighting Oura in court over patents while pricing a luxury ring at nearly $2,000. When a company is scaling that fast, security can’t be an afterthought, because the data it holds is permanent in a way a leaked password never is. You can change a password. You can’t change your resting heart rate history.
The part that should bother you
What gets me isn’t the breach itself, because every company gets hit eventually. It’s that Ultrahuman won’t confirm whether any of your data actually left the building.
The company called the access “read-only” and said its investigation is ongoing, but it wouldn’t confirm whether data was exfiltrated. “Read-only” is doing a lot of comforting work in that sentence, and it shouldn’t. Read-only access still means someone sat there and looked at your sleep patterns and heart data, and the company can’t tell you if they walked out with a copy.
I’ve worn a smart ring, and the appeal is real: it’s the quietest, least intrusive way to track your health that exists right now. But that convenience runs on a deal where you hand over your most intimate metrics and trust the company to guard them.
Want more hot takes and behind-the-scenes tech coverage? Follow me on X and Threads for the stuff that doesn’t always make the article.
