As of March 29, 2018, Under Armour is reporting that 150 million MyFitnessPal accounts were compromised, leaving millions of usernames, E-mail addresses, and hashed passwords in an unauthorized third party’s hands. Due to the scope of the incident, this would be the largest data breach this year. If you re-use your MyFitnessPal password for any of your other accounts (like your e-mail), change it now. No PII or PCI was stolen in the data breach, such as social security numbers or credit card numbers; however, that shouldn’t put anyone at ease. If the e-mail account you use for MyFitnessPal is the same one you use for your bank account, then technically, that could qualify as stolen PII.
Hashed passwords may not necessarily keep you safe. Access to hashed passwords may make cracking it more difficult for a cybercriminal, but there are different offline password cracking attacks, software, and GPU methods that can speed up the process. For example, a hefty wordlist in combination with John the Ripper or some other form of cracking software can reveal the plaintext of the passwords. Other cyberattackers can take more sophisticated approach, which would probably be required for such an extensive list of passwords.
What’s more troubling is how many people re-use their passwords for other accounts. According to Keeper Security’s mobile security survey, more than 80 percent of people re-use their passwords for other accounts. Therefore, if your MyFitnessPal password is the same password to your email account, bank account, or social media account, then you’ve involuntarily provided your login credentials to the cybercriminals.
Under Armour is taking the proper IR steps to notify customers of the breach and is urging MyFitnessPal users to immediately change their password. There is no information at this time identifying who the attackers were and how they obtained access.
Finkle, J. & Balu, M. (2018). Under Armour says 150 million MyFitnessPal accounts breached. The Washington Post. Retrieved from https://www.reuters.com/article/us-under-armour-databreach/under-armour-says-150-million-myfitnesspal-accounts-breached-idUSKBN1H532W
Lamkin, P. (2018). Under Armour Admits Huge MyFitnessPal Data Hack. Forbes Media LLC. Retrieved from https://www.forbes.com/sites/paullamkin/2018/03/30/under-armour-admits-huge-myfitnesspal-data-hack/