Under Armour is notifying users of MyFitnessPal, the company’s food and nutrition application and website, about a new data security issue.
On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018.
The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.
(A wildly popular fitness app got hacked last month, exposing information on the millions of lazy people that use it. Courtesy of TomoNews US and YouTube. Posted on Mar 30, 2018)
Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities.
The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.
The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users.
Payment card data was also not affected because it is collected and processed separately.
The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.
Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging.
The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information.
The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.
Additional information about this issue was provided by the company as follows:
MyFitnessPal Account Security Issue: Frequently Asked Questions
1. What happened?
On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.
2. What did MyFitnessPal do when it discovered the issue?
Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.
We are taking steps to protect our community, including the following:
- We are notifying MyFitnessPal users to provide information on how they can protect their data.
- We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
- We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
- We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
3. What information was affected by this issue?
The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.
The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users.
Payment card data was not affected because it is collected and processed separately.
4. What is a “hashed password”?
Hashing is a one-way mathematical function that converts an original string of data into a seemingly random string of characters.
5. What is “bcrypt”?
Bcrypt is a password hashing mechanism that incorporates security features, including multiple rounds of computation, to provide advanced protection against password cracking.
6. What hashing function was used to protect the MyFitnessPal account information that was not protected by bcrypt?
The MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function.
7. When did MyFitnessPal become aware of the issue?
On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.
8. Do you know who did this?
We do not know the identity of the unauthorized party. Our investigation into this matter is ongoing.
9. Who is being notified?
We are notifying MyFitnessPal users to provide information on how they can protect their data.
10. What is the company doing to protect my MyFitnessPal account?
Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.
We are taking steps to protect our community, including the following:
- We are notifying MyFitnessPal users to provide information on how they can protect their data.
- We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
- We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
- We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
11. I think I received an email about this issue. How do I know it is really from MyFitnessPal?
Click here to view the content of our email notice to MyFitnessPal users. Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data.
If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal and may be an attempt to steal your personal data.
Avoid clicking on links or downloading attachments from such suspicious emails.
Any link included in our email to users directs users to the MyFitnessPal Account Security Issue: Frequently Asked Questions and does not request your personal data.
12. I think I received a message about this issue in the MyFitnessPal app. What should I do?
The in-app message from MyFitnessPal contains a link to our notice to MyFitnessPal users about this issue.
Click here to view the content of our in-app notice to MyFitnessPal users.
13. What should I do to help protect my information?
We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information.
We recommend you:
- Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
- Avoid clicking on links or downloading attachments from suspicious emails.