Under Armour announced a breach on March 29 that affected an estimated 150 million users of its nutrition and diet application, MyFitnessPal. According to CNBC, affected information may include usernames, email addresses, and hashed passwords. Fortunately for consumers, the breach has not affected payment information, which Under Armour collects and processes separately. Under Armour does not collect government identifiers, like social security numbers or driver’s license numbers. Under Armour first became aware of a potential breach on March 25, when the company discovered an unauthorized party had accessed MyFitnessPal user data in February. Under Armour took steps to notify affected users and is now working with data security firms and law enforcement to assist in its investigation.
According to Reuters, the breach is the largest this year and one of the top five to date, based on the number of records compromised. Under Armour released a statement on March 29,2018, saying it is working with data security firms and law enforcement, but did not provide details on how the hackers got into the network or extracted the data. While the breach did not include financial data, stolen email addresses can be valuable to cyber criminals.
Under Armor wrote in an alert on its website that it will require MyFitnessPal users to change their passwords, and it urged users to do so immediately. “We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” the company’s statement said adding that it was bolstering systems that detect and prevent unauthorized access to user information. The company’s initial statement said it started notifying users of the breach on Thursday, four days after it first learned of the incident. Under Armour bought MyFitnessPal in 2015 for $475 million. According to Reuters, It is part of the company’s connected fitness division, whose revenue last year accounted for 1.8 percent of Under Armour’s $5 billion in total sales.
According to the New York Post, the best news from the breach is that Under Armour stored user passwords that were hashed, rather than the more easily hackable plain-text passwords. That will make it more difficult for attackers to find the plain-text passwords, although it’s still possible. The biggest risk with a data breach such as this isn’t necessarily the immediate information that’s compromised, but rather what the username/password combos could give access to. Users have a habit of reusing usernames and passwords across websites, so a breach of MyFitnessPal could easily lead to bank accounts or any amount of sensitive information. MyFitnessPal users will likely want to change their passwords for the platform as well as any other accounts or websites that share the same password.