Under Armour (opens in new tab), which owns the MyFitnessPal (opens in new tab) application announced that an estimated 150 million user accounts had been exposed in a data breach. The account information that was exposed included usernames, emails, and hashed passwords; it's not clear if food logs or other content was also taken.
MyFitnessPal Accounts Exposed
MyFitnessPal is an exercise and calorie-tracking application used by millions of people. The application and its company were purchased by Under Armour, a sportswear brand, in 2015.
Under Armour said that it was made aware of the data breach on March 25, 2018. However, the attacker who took the accounts seem to have gotten into the network a month earlier, in February.
The company said that it has alerted authorities and that leading data security firms will also assist in the investigation. Under Armour will also take the following steps:
We are notifying MyFitnessPal users to provide information on how they can protect their data.We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
What Users Can Do
If you’re a MyFitnessPal user, then you should also take some extra steps to protect your account. The passwords seem to have been encrypted and hashed, so the hackers won't automatically be able to use them. However, unless your passwords were also long and complicated phrases, then they will still be vulnerable to brute-force attacks. Therefore, Under Armour recommended to change your password not just for the MyFitnessPal account, but also for other accounts, if you used the same one.
The company also advised reviewing your account for suspicious activity and being careful about new emails that attempt to get you to click links or open files. Because the emails were exposed in the data breach, that means the attackers will now be able to use them in spam and phishing campaigns.