150MM Account Credentials Stolen from MyFitnessPal

The Under Armour subsidiary MyFitnessPal has officially confirmed the theft of account data for over 150 million users.

The MyFitnessPal Hack

In February 2018, unknown actors accessed the protected data of MyFitnessPal (MFP), a fitness app owned by the sportswear giant Under Armour. As is common in these kinds of situations, MFP has little information on the attackers or their motivations. As stated by the company,

We do not know the identity of the unauthorized party … Our investigation into this matter is ongoing.

Although the breach occurred in February, MFP noticed it on March 25th. The hackers stole account usernames, emails, and encrypted passwords for over 150 million accounts, making this one of the largest data breaches in history. Of course, the company “is actively investigating” and has partnered with law enforcement and security firms to learn the full extent of the damage.

We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.

The Good News

At this point, MFP and Under Armour deserve some credit for their handling of the situation. A data breach is a situation no company wants to be in, but what you do during and after can make all the difference. If you’re worried about a breach, learn from what they did right:

• Proper data segmentation – MFP believes that the hackers did not manage to steal any sort of payment data, such as credit card numbers. Further, MFP siloed what data they did collect appropriately, such that the theft of login data didn’t cascade into the loss of personal or medical info as well.
• Use of encryption – In its notification to customers, MFP confirms that they hashed the passwords with bcrypt. Bcrypt, a very strong hashing algorithm based on Blowfish, has the interesting property of “adapation”; it increases the amount of iterations it does based on available computational power, meaning that it remains brute-force-resistant no matter how strong of a password cracker an attacker uses. This means that the attackers won’t walk away with all passwords. Of course, they’ll find some if the plaintext password is weak, but MFP did what they could with the user input to protect it.
  • One comparatively minor problem is that MFP noted the use of the weak SHA1 hashing function for certain account. From what they said, MFP considered these “legacy” accounts – accounts that the owner didn’t log into for years. This implies that they never got prompted to change their password, so that MFP could hash it with the new algorithm.
• Good reporting standards – From discovery of the breach to public disclosure, MFP only took four days. Compared to companies that didn’t find out they got hacked for literal years, then decided to take a few more months to see if they could shove it under the carpet, MFP deserves credit for their openness so far.
• Clear communication to affected users – Related to the above, MFP has quickly notified those affected by the breach, and has communicated exactly what the users need to do to fix the situation. Further, they made sure to not include links or related info in their notifications in order to protect against phishing meant to take advantage of the situation.

  • “Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging … The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.”

More Reading and Sources

• Slashgear article
• Koddos.net article
• Forbes article

Secure Compliance Solutions is the trusted security advisor for Chicagoland’s small-to-medium businesses. We offer a variety of services that promote a strengthened security posture and a culture of compliance. Our solutions include: risk advisory services, strategic cybersecurity planning, security and privacy awareness, regulatory guidance, penetration testing, and managed security services. We tailor our engagements and solutions to align with your cultural needs and business objectives; not the other way around. We keep your appetite for risk, budget constraints, and timeline in mind to define strategy and operational tactics that maximize your return on investment. At SCS, we help you navigate the course of your cybersecurity journey. Contact us today.