PBL
Company Details
Linkedin ID:
purpose-brands-llc
Website:
Employees number:
28,436
Number of followers:
16,008
NAICS:
71394
Industry Type:
Homepage:
sebrands.com
IP Addresses:
0
Company ID:
PUR_3269726
Scan Status:
In-progress
Purpose Brands, LLC Company CyberSecurity Posture
sebrands.com
Purpose Brands, LLC provides fitness, nutrition and wellness support and services to more than 7,000 communities and millions of people around the world. We own and operate the world’s largest and most trusted portfolio of fitness, health and wellness franchise brands and services: Anytime Fitness, Orangetheory Fitness, Waxing the City, Basecamp Fitness/SUMHIIT Fitness, The Bar Method, Stronger U Nutrition, Healthy Contributions and Provision Security. Together, these brands generate USD$3.7 billion in revenue, operating across 50 countries on all seven continents with a combined 6 million members. We combine this portfolio with a world-class franchise operating model and suite of services that helps our brands and franchise owners accelerate growth and deliver exceptional member experiences. Above all, our culture, people and franchise owners share a commitment to personal wellness; a spirit of service to help those who seek to improve their own physical and mental wellbeing; tireless advocacy and innovation for fitness, health and wellness experiences; and a daily honor to earn the trust in our brands from our franchise owners and the people who help consumers on their personal wellness journeys.
Purpose Brands, LLC A.I CyberSecurity Scoring
PBL Risk Score (AI oriented)Between 700 and 749
PBL
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
PBL Global Score (TPRM)XXXX
PBL
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
PBL Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
Self Esteem Brands LLC (Purpose Brands)
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Self Esteem Brands LLC (operating as Purpose Brands) experienced a **cybersecurity incident** between **December 19, 2023, and June 6, 2024**, exposing sensitive personal data of U.S. consumers. The breach compromised **names, Social Security numbers, tax IDs, driver’s license/passport numbers, financial account details, payment card information, health records, and health insurance data**. The company settled a class-action lawsuit, offering affected individuals reimbursement for **documented losses (up to $5,000 for identity theft/fraud, $2,000 for out-of-pocket expenses)**, compensation for lost time ($80 max), and **two years of credit monitoring with $1M identity theft insurance**. The breach led to potential **identity theft, financial fraud, and reputational harm**, with the settlement fund covering administrative costs, legal fees, and payouts to victims. The incident underscores risks of **unauthorized access to highly sensitive personal and financial data**, though the company denied wrongdoing.
PBL Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for PBL
Incidents vs Wellness and Fitness Services Industry Average (This Year)
No incidents recorded for Purpose Brands, LLC in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Purpose Brands, LLC in 2025.
Incident Types PBL vs Wellness and Fitness Services Industry Avg (This Year)
No incidents recorded for Purpose Brands, LLC in 2025.
Incident History — PBL (X = Date, Y = Severity)
PBL cyber incidents detection timeline including parent company and subsidiaries
PBL Company Subsidiaries
Purpose Brands, LLC provides fitness, nutrition and wellness support and services to more than 7,000 communities and millions of people around the world. We own and operate the world’s largest and most trusted portfolio of fitness, health and wellness franchise brands and services: Anytime Fitness, Orangetheory Fitness, Waxing the City, Basecamp Fitness/SUMHIIT Fitness, The Bar Method, Stronger U Nutrition, Healthy Contributions and Provision Security. Together, these brands generate USD$3.7 billion in revenue, operating across 50 countries on all seven continents with a combined 6 million members. We combine this portfolio with a world-class franchise operating model and suite of services that helps our brands and franchise owners accelerate growth and deliver exceptional member experiences. Above all, our culture, people and franchise owners share a commitment to personal wellness; a spirit of service to help those who seek to improve their own physical and mental wellbeing; tireless advocacy and innovation for fitness, health and wellness experiences; and a daily honor to earn the trust in our brands from our franchise owners and the people who help consumers on their personal wellness journeys.
Loading...
PBL Similar Companies
American Heart Association
Welcome to the American Heart Association’s movement to change the future of health and be the progress that ensures longer, healthier lives for all. By driving breakthroughs in science, policy, and care – together -- we can overcome today’s biggest health challenges and transform lives every day.
Aetna, a CVS Health Company
Here at Aetna, a CVS Health® company, we’re building a healthier world by making health care easy, affordable and all about you. Because Healthier Happens Together™! Follow our page for company news, industry commentary, jobs and more. Founded in 1853 in Hartford, CT, Aetna® is one of the nation's l
Forever Living Products (Home Office)
Forever Living Products and its affiliates are the largest growers, manufacturers and distributors of aloe vera products in the world. The key to Forever's success is commitment to quality and purity. With offices in over 160 countries and Forever Business Owners worldwide, our goal is to provide a
Massage Envy
Massage Envy is the nation’s #1 provider of massage collectively across its franchise network and a national leader in skin care. All Massage Envy locations are independently owned and operated franchises, where the franchisee is the sole employer of all positions. Massage Envy combines big-brand r
Herbalife
Herbalife is a global health and wellness community born to support you in living your best life. For over 40 years and in more than 90 countries, we’ve empowered millions of people to make real changes to their lives with our science-backed products, the support of a coach – what we call an Herbali
LA Fitness is a privately owned fitness club chain. LA Fitness has hundreds of health clubs gyms and millions of members across US and Canada. In an industry often equated with fad and fashion, LA Fitness has steadily increased its presence by focusing on the one lifelong benefit valued by everyone:
Somos a maior rede de academias da América Latina, com o propósito de democratizar o fitness de alto padrão. Estamos presentes em 15 países, contando com mais de 1500 academias. Atendemos mais de 4 milhões de alunos e contamos com nossa gente de mais de 7 mil colaboradores dedicados, empenhados em o
Grupo Fleury
O Grupo Fleury é reconhecido como uma referência de qualidade em medicina diagnóstica no país, com soluções completas, coordenação de cuidado centrada no indivíduo, capacidade de inovação e tecnologia. Temos um portfólio de saúde integrado, preventivo e híbrido, nascemos como um laboratório e evolu
Young Living Essential Oils
Through the painstaking steps of our proprietary Seed to Seal® production process, we produce the best, most authentic essential oils in the world. We are committed to providing pure, powerful products for every family and lifestyle, all infused with the life-changing benefits of our essential oils.
.png)
PBL CyberSecurity News
November 13, 2025 08:00 AM
Purpose Brands Data Breach Class Action Settlement
Consumers whom Self Esteem Brands notified that a data breach potentially compromised their information may qualify to claim up to $5000...
August 11, 2025 07:00 AM
Cencora & The Lash Group Settle Data Breach Litigation for $40 Million
Cencora, The Lash Group, and their affiliates have agreed to pay $40 million to settle class action data breach litigation over a February...
April 24, 2025 07:00 AM
North Korean cyber spies created U.S. firms to dupe crypto developers
North Korean cyber spies created two businesses in the U.S., in violation of Treasury sanctions, to infect developers working in the...
March 25, 2025 03:12 PM
Southeast Series of Lockton Companies Data Breach
Did Lockton send you a letter about a data breach? Individuals whose private information was exposed may be able to take legal action. Learn more.
March 18, 2025 07:00 AM
Alphabet to buy Wiz for $32 billion in its biggest deal to boost cloud security
Alphabet will buy fast-growing startup Wiz for about $32 billion in its biggest deal ever, the Google parent said Tuesday, as it doubles...
March 08, 2025 08:00 AM
Top 50 Best Penetration Testing Companies in 2025
Penetration testing companies play a crucial role in cybersecurity by identifying vulnerabilities in an organization's systems, networks, and applications.
December 13, 2023 08:00 AM
How cybercriminals are using Wyoming shell companies for global hacks
Somali reporter Abdalle Ahmed Mumin was doubly distressed when he heard that a colleague had been abducted by masked gunmen at the...
June 24, 2023 12:59 PM
List of victimized companies of MOVEit Cyber Attack
The companies affected by the Move It cyber attack. Stay informed about the latest cybersecurity threats and protect your organization from similar...
January 20, 2020 08:00 AM
From Account Hijacking To Cybersquatting: A Brief Dive Into Suspicious Disney+ Domains
We started looking for misspelled variations of the Disney+ official domain (disneyplus[.]com) using the search term “disney plus” and found more than 120...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
PBL CyberSecurity History Information
Official Website of Purpose Brands, LLC
The official website of Purpose Brands, LLC is http://sebrands.com.
Purpose Brands, LLC’s AI-Generated Cybersecurity Score
According to Rankiteo, Purpose Brands, LLC’s AI-generated cybersecurity score is 740, reflecting their Moderate security posture.
How many security badges does Purpose Brands, LLC’ have ?
According to Rankiteo, Purpose Brands, LLC currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Purpose Brands, LLC have SOC 2 Type 1 certification ?
According to Rankiteo, Purpose Brands, LLC is not certified under SOC 2 Type 1.
Does Purpose Brands, LLC have SOC 2 Type 2 certification ?
According to Rankiteo, Purpose Brands, LLC does not hold a SOC 2 Type 2 certification.
Does Purpose Brands, LLC comply with GDPR ?
According to Rankiteo, Purpose Brands, LLC is not listed as GDPR compliant.
Does Purpose Brands, LLC have PCI DSS certification ?
According to Rankiteo, Purpose Brands, LLC does not currently maintain PCI DSS compliance.
Does Purpose Brands, LLC comply with HIPAA ?
According to Rankiteo, Purpose Brands, LLC is not compliant with HIPAA regulations.
Does Purpose Brands, LLC have ISO 27001 certification ?
According to Rankiteo,Purpose Brands, LLC is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Purpose Brands, LLC
Purpose Brands, LLC operates primarily in the Wellness and Fitness Services industry.
Number of Employees at Purpose Brands, LLC
Purpose Brands, LLC employs approximately 28,436 people worldwide.
Subsidiaries Owned by Purpose Brands, LLC
Purpose Brands, LLC presently has no subsidiaries across any sectors.
Purpose Brands, LLC’s LinkedIn Followers
Purpose Brands, LLC’s official LinkedIn profile has approximately 16,008 followers.
NAICS Classification of Purpose Brands, LLC
Purpose Brands, LLC is classified under the NAICS code 71394, which corresponds to Fitness and Recreational Sports Centers.
Purpose Brands, LLC’s Presence on Crunchbase
No, Purpose Brands, LLC does not have a profile on Crunchbase.
Purpose Brands, LLC’s Presence on LinkedIn
Yes, Purpose Brands, LLC maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/purpose-brands-llc.
Cybersecurity Incidents Involving Purpose Brands, LLC
As of December 10, 2025, Rankiteo reports that Purpose Brands, LLC has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
Purpose Brands, LLC has an estimated 12,079 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Purpose Brands, LLC ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
What was the total financial impact of these incidents on Purpose Brands, LLC ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $0.
How does Purpose Brands, LLC detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an recovery measures with class action settlement offering compensation and credit monitoring, and communication strategy with notices sent to affected individuals with claim instructions (unique id/pin provided)..
Incident Details
Can you provide details on each incident ?
Title: Purpose Brands (Self Esteem Brands) Data Breach
Description: A cybersecurity incident affecting Self Esteem Brands (doing business as Purpose Brands) occurred between December 19, 2023, and June 6, 2024, exposing sensitive personal information of U.S. consumers. The breach led to a class action lawsuit, with the company agreeing to a settlement offering compensation, credit monitoring, and identity theft protection to affected individuals.
Date Detected: 2024-06-06
Type: Data Breach
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach PUR3203232111425
Data Compromised: Names, Social security numbers, Tax identification numbers, Driver’s license numbers, Passport numbers, Financial account information, Payment card information, Health information, Health insurance information
Brand Reputation Impact: Class action lawsuit and settlement
Legal Liabilities: Class action lawsuit settled; company denies wrongdoing
Identity Theft Risk: High (SSNs, financial, and health data exposed)
Payment Information Risk: High (payment card and financial account information exposed)
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $0.00.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (Pii), Financial Data, Health Information and .
Which entities were affected by each incident ?
Incident : Data Breach PUR3203232111425
Entity Name: Self Esteem Brands LLC (dba Purpose Brands)
Entity Type: Corporation
Industry: Health/Wellness (Franchise Business, e.g., Anytime Fitness)
Location: United States
Customers Affected: U.S. residents notified of the breach (exact number undisclosed)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach PUR3203232111425
Recovery Measures: Class action settlement offering compensation and credit monitoring
Communication Strategy: Notices sent to affected individuals with claim instructions (unique ID/PIN provided)
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach PUR3203232111425
Type of Data Compromised: Personally identifiable information (pii), Financial data, Health information
Sensitivity of Data: High (includes SSNs, tax IDs, health, and financial data)
Data Exfiltration: Likely (files containing personal information exposed)
Personally Identifiable Information: NamesSocial Security numbersTax identification numbersDriver’s license numbersPassport numbers
Ransomware Information
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Class action settlement offering compensation and credit monitoring.
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach PUR3203232111425
Legal Actions: Class action lawsuit settled (no admission of wrongdoing)
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class action lawsuit settled (no admission of wrongdoing).
References
Where can I find more information about each incident ?
Incident : Data Breach PUR3203232111425
Source: Class Action Settlement Notice
Incident : Data Breach PUR3203232111425
Source: Settlement Administrator Contact
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Class Action Settlement Notice, and Source: Settlement Administrator Contact.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach PUR3203232111425
Investigation Status: Settled (class action lawsuit resolved; no further details on forensic investigation)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Notices sent to affected individuals with claim instructions (unique ID/PIN provided).
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach PUR3203232111425
Stakeholder Advisories: Notices sent to affected individuals with claim instructions (ID/PIN provided for online claims).
Customer Advisories: Eligible individuals can file claims for compensation (up to $5,000), credit monitoring (2 years), or a $25 cash payment. Deadline: December 31, 2025.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Notices sent to affected individuals with claim instructions (ID/PIN provided for online claims)., Eligible individuals can file claims for compensation (up to $5,000), credit monitoring (2 years), or a $25 cash payment. Deadline: December 31 and 2025..
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach PUR3203232111425
Corrective Actions: Settlement agreement (compensation, credit monitoring) to mitigate harm to affected individuals.
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Settlement agreement (compensation, credit monitoring) to mitigate harm to affected individuals..
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2024-06-06.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was {'settlement_fund': {'administration_costs': '$14,400', 'attorneys_fees': '$150,000', 'class_representative_award': '$3,000', 'credit_monitoring_costs': 'Dependent on valid claims', 'payments_to_class_members': 'Dependent on valid claims'}, 'compensation': {'ordinary_losses': 'Up to $2,000 (documented out-of-pocket expenses + $80 for lost time)', 'extraordinary_losses': 'Up to $5,000 (identity theft/fraud)', 'alternative_cash_payment': '$25 (one-time, no documentation required)'}}.
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Names, Social Security numbers, Tax identification numbers, Driver’s license numbers, Passport numbers, Financial account information, Payment card information, Health information, Health insurance information and .
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Payment card information, Financial account information, Names, Social Security numbers, Tax identification numbers, Health insurance information, Passport numbers, Health information and Driver’s license numbers.
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class action lawsuit settled (no admission of wrongdoing).
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Class Action Settlement Notice and Settlement Administrator Contact.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Settled (class action lawsuit resolved; no further details on forensic investigation).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Notices sent to affected individuals with claim instructions (ID/PIN provided for online claims)., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Eligible individuals can file claims for compensation (up to $5,000), credit monitoring (2 years), or a $25 cash payment. Deadline: December 31 and 2025.
.png)
Latest Global CVEs (Not Company-Specific)
Description
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5.
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.
Risk Information
cvss3
Base: 8.0
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Description
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
Risk Information
cvss3
Base: 9.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Description
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.
Risk Information
cvss4
Base: 9.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
- https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=purpose-brands-llc' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
