Under Armour Data Breach Impacts 150 Million MyFitnessPal App Users

On March 29, 2018, Under Armour issued an announcement that the company is notifying users about a data security incident which has affected approximately 150 million MyFitnessPal user accounts.  MyFitnessPal is Under Armour’s “food and nutrition application and website.”

According to Under Armour, “[o]n March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018.”

Affected Information Included Usernames, E-Mail Addresses, and Hashed Passwords

The company stated that its “. . . investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”

Under Armour further stated:

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which [Under Armour] does not collect from users. Payment card data was also not affected because it is collected and processed separately. [Under Armour’s] investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.

Four days after learning of the issue, [Under Armour] began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.

“Hashed Password” & “Bcrypt”

Under Armour’s “MyFitnessPal Account Security Issue: Frequently Asked Questions,” page states that “hashed password” refers to “a one-way mathematical function that converts an original string of data into a seemingly random string of characters.”  The company defined “bcrypt” as “a password hashing mechanism that incorporates security features, including multiple rounds of computation, to provide advanced protection against password cracking.” Additionally, Under Armour stated that “MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function.”

Who Is Responsible for Under Armour’s Data Breach?

The FAQ page also, among other things, reflects that the company “does not know the identity of the unauthorized party” that “acquired data associated with MyFitnessPal user accounts.” Under Armour’s investigation of the security issue is ongoing.

Kehoe Law Firm, P.C.