My guess – iFit sold your data in the advertising and tracking market, which you allowed by signing their ToS. Over there it was exchanged between many faceless data brokers, credit agencies, banks, advertisers and more, again fully legally. Pretty much everyone reading this thread and using the internet in general has their personal info floating around in such markets.
From there, your specific bit of data took a path that was, whether knowingly or unknowingly, leaked/sold to someone running outright phishing scams. This part is rare, because the data is a valuable commodity and using it for such pointless (and illegal) purposes would be counter to the best interests of everyone in these ecosystems.
How serious is it? Well, there are people out there with all the info you put in your iFit account. How severe you consider that depends on a bunch of factors, and could be different for everyone.
Not sure why you think it's unlikely, they told you they would in their privacy policy.
"We may disclose or share your personal data to entities other than iFIT for a business purpose"
More than likely iFit.
I don't think they're doing so hot after the Peloton lawsuit, and anecdotally getting their support to answer a simple email takes months. My last conversation with them by phone basically ended with the agent saying "go ahead and initiate a charge-back with your credit card, because even though you should be refunded my hands are tied".
I've gotten a LOT of these, either your data was sold or compromised. Easy to spot where the data came from because they are sent to masked email addresses (notice they sent it to your `+ifit` address) which makes me think iFit was compromised (not Gmail).
Change your password and email for iFit, poison your data (put in fake names/info if you can). Search your email at the haveibeenpwned website and it will return any data leaks it was a part of.
If you're into scam-baiting, call the number (ideally with a fake/VOIP number) they provided and play along with the scam until they realize you're bullshitting. Do it enough times and your email is removed from their spam list. For extra fun, post the number to r/scambait and they will be inundated with calls for a while.
I had something like this happen with a VoIP provider (I don't quite know how to describe them, but they're like Twilio where you can 'code the phone' sort of thing) and my unique email address. Reported it to them out of concerns their system was breached, explained the unique email address situation and was given nothing but denial in return and ultimately got nowhere.
Sucks, but I guess it is what it is :/. This was a while ago so it's fuzzy but I just ended up not using them anymore/not going forward with them.
Most US states publish property tax information. This includes the full name of the property owners, their full address, the amount of property tax levied, and the purchase price of the home. So none of that information should be considered private. Phone numbers were also quite public in the phone book days of my childhood. Cell phones changed this a bit but I wouldn’t consider them private either. Food for thought.
I think that you are right to be concerned.
Your privacy is very important for us. (i.e. we make a lot of money out of it). /s
Google is not privacy.
Given the targeted nature of the email (fake fitness related invoice associated with email address used by fitness service) it looks like someone's ended up with a long list of iFit user details, almost certainly via illicit means