150 million MyFitnessPal accounts compromised by a massive data breach

By Harold Kilpatrick, Cybersecurity Consultant and Blogger.

Hackers stole data of more than 150 million users of a wildly popular fitness and dietary tracking app MyFitnessPal, as announced by its parent company Under Armour on Thursday, March 29.

The company started notifying users about the breach via email and in-app messaging four days after it had noticed that an unauthorised party had accessed the data in February.

What data was stolen?

The breached data includes usernames, email addresses, and hashed passwords. In theory, hackers should find the latter ones useless, as they aren’t readable for a human eye. By using certain algorithms, users’ passwords are converted into random-looking strings of characters. And since hashing works in only one direction – an easy-to-perform mathematical function that turns passwords into cryptographic hashes is extremely difficult to reverse – login credentials should remain safe and sound. Theoretically.

However, the level of algorithm complexity differs, and it may take years to decipher some hashed passwords, while it may be just a matter of a few hours to crack others. Also, hashing hardly helps in protecting low-security passwords, such as “password123” or “qwerty” – by using so-called rainbow tables that store the most common passwords, hackers can identify the hashed ones and gain access to users’ accounts.

Even though the company used the bcrypt password hashing mechanism that involves multiple rounds of computation, MyFitnessPal users are urged to change their passwords as soon as possible.

Under Armour claims that none of the financial information was affected by the data breach. The company keeps and processes payment information separately from general user information, and this data handling practice turned out in their favour.

Since the company doesn’t collect any government-issued identifiers, such as driver’s license numbers or social security numbers, the damage of the data breach is moderate.

How did that happen?

It is still unclear who is behind the data breach that compromised privacy of millions of MyFitnessPal users. Under Armour is running an investigation with the help of security firms and law enforcement agencies to find out how hackers were able to get into their system without being noticed.

Personal fitness data is exposed. What are the risks?

A daily calorie intake or minutes spent on a treadmill may not look like valuable information at first glance, but it sure has power if we look at the bigger picture.

Self-monitoring is clearly a thing right now. The athletic clothing company Under Armour acquired MyFitnessPal in 2015, and at that time the app had 80 million users. Since then, the number of app users has nearly doubled.   

People turn to tech to monitor their health and get assistance on their fitness journey. Wearables and mobile apps like MyFitnessPal are used for tracking on a daily basis, and the information they gather is highly personal. For example, according to its privacy policy, MyFitnessPal can collect precise performance and location data. What lies behind this is a valuable piece of information of where you were at a certain time and how fast you were moving.

Combined with data from other sources, personal fitness records can significantly add up to user’s profile, letting hackers know his or her whereabouts. All in all, every data point matters.

What can be done to make future attacks less damaging?

There’s not much the affected users can do other than change their passwords immediately since the data breach occurred on Under Armour  servers. However, this case is an important reminder that any type of personal data is vulnerable to hacking.

What can be done individually to secure private data? Here are the key takeaways:

  1. Setting strong passwords for all your online accounts. The more complex the password, the fewer chances are that a hacker will be able to crack the hash and hijack your accounts.
  2. Being aware of what information is shared with applications. Check what permissions you’ve granted to apps. You may opt out of some you deem unnecessary or the ones that are needed for extra features you don’t use.
  3. Reviewing the apps and online services used. Do you still need them all? Now is the perfect time to get rid of the apps you stopped using at some point and completely forgot about their existence on your smartphone. Delete the accounts of online services you’re no longer need.

About the Author

Harold Kilpatrick is a cybersecurity consultant who also freelances as a blogger. Harold lives in New York, where he loves to go on coffee walks with his golden lab, Ernie.

Tags hackingdata theftUnder ArmourMyFitnessPal

Show Comments