How Under Armour’s App MyFitnessPal Got Hacked
Table of Contents
- By David Lukic
- Feb 01, 2021
MyFitnessPal is a fitness tracking app that was created in 2005, then in 2015, Under Armour purchased it for $475 million. On March 25, 2018, Under Armour alerted customers that a MyFitnessPal data breach had occurred, affecting 150 million accounts.
Under Armour wasted no time notifying the authorities and customers. Cybersecurity experts secured the app and are continuously monitoring for any unusual or suspicious activity. They also required every user to reset their password.
Although the hacker’s exact attack strategy isn’t clear, experts are speculating that it was due to a vulnerability in the security of the MyFitnessPal encryption functions and possibly the actions of an employee.
When was the MyFitnessPal Data Breach?
The MyFitnessPal data breach occurred in February of 2018. Under Armour wasn’t aware of the incident until late March but notified its affected parties at an above-average speed. Due to the application’s focus on fitness, hackers didn’t gain access to any forms of government identification.
Under Armour had already reset all affected user’s passwords, so essentially, the information is useless for accessing updated MyFitnessPal accounts. However, the information could be leveraged in other scams and hacking attempts.
What Information Did the Hackers Get?
A MyFitnessPal spokesperson reported that the attack compromised the usernames, email addresses, and hashed passwords of 150 million users. Notably, the application protected stored login credentials with encryption.
Doing so prevents criminals from immediately accessing users’ accounts since they need considerable time to decode each one. This gave MyFitnessPal enough time to notify their user base and get them to change their passwords.
The company clarified that sensitive government-granted details like Social Security Numbers, driver’s license information, and payment details weren’t lost. This happy note wasn’t due to extra safety measures in place. Rather, the application simply didn’t collect that type of information
Can MyFitnessPal Data Breach Lead to Identity Theft?
The information thieves stole in the MyFitnessPal data breach isn’t enough to immediately steal your identity. But that doesn’t mean you’re in the clear.
Basic identifiers, like what was stolen, is precisely the type of information cybercriminals use to launch phishing attacks and scams for identity theft. Stolen email addresses serve as a starting point for fake emails that lure customers into clicking a link or downloading malware that’ll steal confidential information.
Under Armour understands the possible phishing dangers and included it in their announcement. It reminded users that MyFitnessPal would never ask for their personal data or send emails containing attachments. Everyone should be wary of any invitation to click on a link since it may be an attempt to steal additional personal data.
Sometimes these links allow criminals to take control of your computer. This practice becomes far more severe if the criminal overtakes a professional device. Companies have lost millions from having their devices held hostage while hackers demand a ransom. This is called ransomware, and it is becoming very common.
Additionally, criminals may contact someone connected to you using the stolen information. Personal information like a full name or address can add credibility to their claim and make your friends more likely to fall for the scam.
What Caused the Under Armour Data Breach?
When the breach came to light, Under Armour announced that their passwords were protected with the bcrypt password-hashing function. Most experts consider bcrypt suitable for cybersecurity as it scales with computational power and hashes with salt.
Basically, the MyFitnessPal server transformed passwords into long strings of numbers and letters that could be rearranged nearly infinitely. One of the main selling points of bcrypt is that it'll remain relevant in the future. The system will hold up even if criminals can guess password combinations twice as fast.
This sounds good, but the company later stated that it didn't utilize bcrypt across the board. There were a large number of passwords that were protected with the outdated SHA-1 function.
SHA-1 hasn't been safe since 2005 and heavily fell out of favor by the decade's end. Well-funded attackers have the computational power to break it relatively quickly. While smaller operations may get away with using it, national-level corporations should have, at minimum, switched to the SHA-2 family long ago.
The Aftermath of the MyFitnessPal Hack
Some companies neglect to inform their users of a data breach for months. They try to put out the most significant fires and confidently announce that everything is under control. This approach hardly ever works and leaves consumers with a bad taste in their mouths.
Luckily, Under Armour announced their mistake in just four days.
Their quick response indicated upper management's strong sense of responsibility and consideration. It gave users time to respond before it was too late and allowed the company to steer the narrative without appearing self-serving.
Most companies' value experiences a sharp drop following a breach. For example, Target's stock fell 11 percent when it announced a breach in 2013 and didn't start to bounce back for a few months.
By comparison, Under Armour's stock fell a mere 4 percent in the days after its breach. However, it didn't need nearly as long to bounce back and was even up 9 percent a month later.
What Happened to the Leaked Data?
The MyFitnessPal information didn't appear online for a long time following the breach. It was only after a year that the data popped up on the dark web.
It appeared alongside stolen information from 16 other websites for a grand total of 620 million accounts. The seller posted on the platform Dream Market with a listed price of $20,000. Since this was in 2019, the seller requested they be paid in bitcoin.
Despite the massive size of the MyFitnessPal breach, the most significant number of for-sale account information came from the 2019 Dubsmash attack. Reddit bought the video platform in 2020 after it had over 160 million accounts compromised.
The price was surprisingly low considering the amount of information for sale. The sale description claimed server information on various websites, including other big names like Whitepages and Coffee Meets Bagel
Under Armour's Class Action Lawsuit
Despite an objectively swift response, Under Armour still had a class action lawsuit filed against it. The plaintiff, Rebecca Murray, argued that MyFitnessPal was negligent in its security and violated multiple California laws.
The most notable of these laws was the state's regulations against deceptive business practices. Murray stated that her financial information was compromised despite Under Armour's claims that no credit card details were stolen. The lawsuit sought damages alongside a motion to compel Under Armour to enhance its security systems.
In response, Under Armour filed to dismiss the action and seek individual arbitration with Rebecca Murray as she agreed in the company's "Terms and Conditions of Use" agreement. After some deliberations, the case was dismissed on March 20, 2019.
How to Check if Your Data Was Breached by MyFitnessPal Hack
If you were a user of the MyFitnessPal data breach in 2018, you were affected. You should have received a notice from the app to reset your password. Additionally, MyFitnessPal posted a notice of the MyFitnessPal breach and also an FAQ page with answers to popular questions by customers affected by the MyFitnessPal data breach.
What to Do if Your Data Was Stolen by MyFitnessPal Breach
If you continued using the app regularly, by now, you have reset your password. While that’s a good start, it’s not enough to keep your identity safe. Just your full name and email address can be enough to break into existing accounts or open new ones.
Our suggested changes are:
- If you used the same password for MyFitnessPal on other websites, change it immediately.
- Review your credit card and bank statements each month looking for any suspicious activity.
- Get a copy of your credit report and sign up for credit monitoring (IDStrong.com does this for you).
- Run a full antivirus scan of your computer.
Also, watch out for emails that look like they came from MyFitnessPal, but the links go to a fake or spoofed website.
What to Do to Protect Yourself When Using Mobile Apps
Mobile apps like MyFitnessPal have become a big part of our daily lives. Fitness trackers are a great way to meet personal health goals and maintain an active lifestyle. Although these applications don’t store a lot of personally identifiable information (PII), what they do have is enough to take a criminal to the next step.
Depending on the app, it may collect and store a lot of personal information about you. Location trackers can even keep a record of the areas you visit frequently. This is how marketing profiles and personalized recommendations are made.
That information makes life more convenient at times, but it’s also at the mercy of the security on the server where it resides. The best way to protect yourself is by being careful and selective when giving out your personal details.
- Trust only verified apps that have good reputations.
- Use a distinct password for each app you use, never reuse the same one.
- When creating passwords, make them long and strong (a combination of symbols, letters, and numbers).
- Install antivirus on your computer and run scans often.
- Never open emails from someone you don’t know.
- Do not click links in emails or download any attachments.
- Always look for the “lock” symbol or https when visiting online app portals to make sure they are secured.
Creating and remembering the passwords to ten or twenty accounts is challenging. Taking advantage of a password manager makes things more manageable, and some of them also track suspicious logins. Most browsers have a plug-in that you can install immediately to enjoy a much safer online experience!