Hackers swindled personal details of 150 million MyFitnessPal users
A famous USA sportswear company Under Armour reported a massive data breach on March 29, 2018 that affected the popular MyFitnessPal app. Based on primary data, the company revealed a vulnerability in their system in 25th of March and registered a massive data leakage that allowed hackers to steal personal information during February. It has been estimated that more than 150 millions of usernames, email addresses, and hashed passwords have been exposed to cybercriminals.
Currently, Under Armour's MyFitnessPal app is being under investigation. The company along with reputable cybersecurity experts and law enforcement are initiating an in-depth analysis of the issue and refrain from commenting on details.
MyFitnessPal account owners notified via official Under Armour email
Sadly, but massive data breaches seem to become a common practice. Although companies keep asserting that they take people's privacy seriously, it does not look that much is done to compensate the losses and the stress that the victims of privacy scandals experience.
Nevertheless, Under Armour's reaction to the MyFitnessPal accounts' hack is praiseworthy. It took the company less than two days to inform potential victims and explain them the whole situation in details.
We are writing to notify you about an issue that may involve your MyFitnessPal
account information. We understand that you value your privacy and we take the
protection of your information seriously.
Furthermore, the company clarifies what steps have already been initiated once the information leakage has been revealed. According to it, the company has already distributed basic tips on how to protect people's data and actively monitor the service for suspicious activity. Company's IT experts along with law enforcement and reinforcement from reputable security vendors are also working hard to improve MyFitnessPal app's security and prevent unauthorized access in the future.
Hackers cracked the hash
Under Armour reported that the breach did not reveal personal information, such as Social Security numbers or driver's license numbers because the company does not require for it at all. Usernames, email addresses, and account passwords are indicated as the only data that has been disclosed.
It turns out that hackers managed to crack hashed passwords. The MyFitnessPal account information was not protected using a complicated bcrypt. Instead, the company relied on SHA-1, a 160-bit hashing mechanism. The latter is considered to be weak and more often cracked by hackers. Rick Redman, a penetration tester at the firm KoreLogic, explains that:
The strength of the hash is the insurance policy. It tells you how much time users have to change their passwords after a data breach before they come to harm. If it’s just SHA1, there is no window…If it’s bcrypt, you have time to run away and change all your passwords.
Urgent: Under Armour urges MyFitnessPal account users to change passwords immediately
150 000 MyFitnessPal users were warned about access of “unauthorized party” to the servers of the app. Along with the general statement about the breach, the company stressed the importance of the MyFitnessPal password change.
That's not an optional choice. It's a must to change your password even though you believe that your account's details haven't been leaked.
We will require MyFitnessPal users to change their passwords and urge users to do so immediately. If you are a MyFitnessPal user who created an account after November 2016, changing your MyFitnessPal password will also update the password you use for the MapMyFitness family of apps (Endomondo registration is separate).
- Open your web browser and sign in to your MyFitnessPal account.
- Open “Settings” and click “Change Password.”
- Make sure you write down the new password somewhere safe until you memorize it.
By the way, keep in mind that it's not advisable to use the same password across multiple accounts. This way, you make it easy for criminals to sneak into your accounts, hack them, and misuse personal information about you.