I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format

>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]

So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.

If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,

I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.