Context
Basic-Fit, Europe's largest gym network with over 5 million members and 1,500 clubs, announced on April 13, 2026 that it had suffered an unauthorised intrusion detected on April 8. The access was stopped within minutes by monitoring systems, but the data of nearly one million members had already been compromised.
Six countries are affected: Belgium, France, Germany, Luxembourg, Spain, and the Netherlands.
Exposed Data
- Full names
- Email addresses
- Postal addresses
- Phone numbers
- Dates of birth
- Bank account details (IBAN)
Passwords and identity documents were not accessed. As of now, no evidence of public data exposure has been identified.
Risks for Affected Members
The combination of name + email + IBAN + date of birth creates a highly complete profile for targeted attacks:
- Personalised phishing: fraudulent emails mimicking Basic-Fit or your bank, using accurate details to appear legitimate
- Vishing: phone calls impersonating your bank advisor
- Fraudulent direct debit attempts: an IBAN alone is not sufficient to initiate a transfer, but can be used in social engineering attempts targeting your bank
What to Do if You Are a Member
- Be cautious of emails or SMS mentioning your subscription, a refund, or a data update
- Never click a link received by email about your account — log in directly through the official site or app
- Notify your bank of the incident so they can monitor for unusual activity on your account
- Check your bank statements over the coming weeks
- Report any suspicious contact claiming to be from Basic-Fit to your bank
General Recommendations
- For businesses: if employees use professional email addresses for personal subscriptions, raise awareness — their work inbox could be the next target
- Enable SMS alerts on your bank account to be notified immediately of any transaction
- Don't reuse your Basic-Fit password on other services — even though passwords are not directly affected, a preventive reset is a sensible precaution