Ultrahuman's Ring Air, the smart ring at the center of the company's data breach disclosure. | Image by Ultrahuman
Your Samsung Galaxy Ring, your Oura, your Ultrahuman, they all run on the same quiet bargain: you hand over the most personal data you own, and you trust the company to guard it. So what happens when one of those companies gets broken into, and then can't quite tell you how bad it was?
Ultrahuman confirms hackers reached customer wellness data
Ultrahuman, the India-based smart ring maker behind the Ring Air and the newer Ring Pro, has confirmed that hackers got into customer wellness data. The company started emailing affected users on Wednesday (June 3), according to a new report.
Here's what went down: the hack took place on March 27 and hit an internal analytics system, not the rings or the core product. The attackers got in using login credentials swiped from an employee's malware-infected laptop.
Recommended For You
Ultrahuman says it caught the breach within hours, pulled the affected system offline, and revoked access. CEO Mohit Kumar said the company's alerting systems flagged the incident fast and the hole was closed.
The Ring Air tracks sleep, heart rate, and recovery, the kind of intimate health data the breach touched. | Image by Ultrahuman
How many people were actually affected
By Ultrahuman's own math, the breach touched roughly 0.1% of its users. That sounds tiny until you run the conversion.
The company has previously reported around 700,000 monthly active users, which puts the floor at about 700 people who had health data accessed. Ultrahuman didn't dispute that number, but it also wouldn't say exactly how many customers got hit.
What's confirmed safe: no passwords, no payment information, no production systems, and no actual Ring devices were compromised. The company also says the attacker only had "read-only" access to the system.
How much do you trust the company holding your health data?
Why this matters more than the numbers suggest
A 700-person breach won't make global headlines, and that's exactly why it's worth talking about. The real story is what these devices know about you.
Smart rings like Ultrahuman's, and rival Oura, store your health data on company servers in a way that lets employees, governments, and bad actors potentially reach it. We made that point when Oura kept pushing harder into the US market, and it applies double here. A smartwatch tracks your steps. A health ring profiles your body.
The reaction from owners tells its own story. On Reddit, one ring user who got the breach email wrote that Ultrahuman insists only their email leaked, but added that given the company's track record, they'd bet more was taken than the company is admitting.
A SmartRings subreddit user reacts to receiving Ultrahuman's breach notification email. | Image by Reddit
That skepticism isn't coming out of nowhere. It should be noted that Ultrahuman has been in aggressive expansion mode, fighting Oura in court over patents while pricing a luxury ring at nearly $2,000. When a company is scaling that fast, security can't be an afterthought, because the data it holds is permanent in a way a leaked password never is. You can change a password. You can't change your resting heart rate history.
What this means if you wear a Galaxy Ring or Oura
If you're on a Samsung Galaxy Ring, this specific breach doesn't touch you. Your data lives in Samsung Cloud tied to your account, protected by Samsung's Knox security, and Samsung says it doesn't share personal health data externally without consent. So Samsung itself has little to worry about here on a security level.
That said, the structural point still lands. Galaxy Ring data is cloud-stored health data, same as Ultrahuman's, and Samsung even offers a developer SDK that gives approved partners access to user health data with consent. Oura owners are in the same boat: convenient cloud sync, your body's metrics sitting on someone else's server. The lesson isn't "switch rings," it's that every one of these devices runs on trust, and trust is only as strong as the company's worst day.
The part that should bother you
What gets me isn't the breach itself, because every company gets hit eventually. It's that Ultrahuman won't confirm whether any of your data actually left the building.
The company called the access "read-only" and said its investigation is ongoing, but it wouldn't confirm whether data was exfiltrated. "Read-only" is doing a lot of comforting work in that sentence, and it shouldn't. Read-only access still means someone sat there and looked at your sleep patterns and heart data, and the company can't tell you if they walked out with a copy.
I've worn a smart ring, and the appeal is real: it's the quietest, least intrusive way to track your health that exists right now. But that convenience runs on a deal where you hand over your most intimate metrics and trust the company to guard them.
When "did they take my data" is still a question, that deal starts looking lopsided, and clearly I'm not the only one feeling it. The rings are great. The vagueness is not.
Want more hot takes and behind-the-scenes tech coverage? Follow me on X and Threads for the stuff that doesn't always make the article.
Samsung Galaxy Z Flip 6 flash sale! Limited time offer!
Save $30 on Samsung Galaxy Z Flip 6 from Back Market. Discount automatically applied at checkout. Offer ends 7 June 2026 at 23:59.
Johanna Romero is a Senior News Writer at PhoneArena, covering mobile technology news across Android, iOS, wearables, and the Google ecosystem she knows best. Drawing on 15 years in IT and tech support from 2007 to 2022, she brings a user-friendly eye for the practical features and lesser-known tricks readers care about. Google named her an official #TeamPixel member in 2022, and she also reviews the latest devices on her YouTube channel, JoJo the Techie.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
![T-Mobile will hire from India after layoffs in the US [UPDATED]](https://m-cdn.phonearena.com/images/article/180876-wide-two_350/T-Mobile-will-hire-from-India-after-layoffs-in-the-US-UPDATED.webp)
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: