It’s the data security news you never want to hear: 150 million MyFitnessPal user accounts have been hacked, Under Armour says, a huge breach of the health-tracking service. Earlier this year, somebody broke into the company’s systems and yanked out usernames, email addresses, and more. Here are the answers to the five big questions you probably have, and what you should do next if you think you’re affected by the MyFitnessPal breach.
So what happened?
A lot of that, MyFitnessPal still isn’t sure about. The company says it was alerted to a breach of its database on March 25, 2018. The breach itself took place in February 2018, it claims. “We do not know the identity of the unauthorized party,” MyFitnessPal admits. “Our investigation into this matter is ongoing.”
The company is now working with data security firms and law enforcement to get to the bottom of the breach. However, in the meantime there’s the potential for phishing attempts and attempts at unauthorized access of other services using the data that was stolen.
What information was taken?
There’s good news and bad news when it comes to the stolen data. On the one hand, the affect information included MyFitnessPal usernames, their related emails, and the hashed password. However, the good news is that – since the site never asked for them – Social Security numbers or other similar data wasn’t taken. Payments were processed separately, and so weren’t included either.
Although the usernames and passwords could be more readily viewed, the passwords have gone through a process known as “hashing” to encrypt them. MyFitnessPal used a system called bcrypt to do that, effectively taking the password each user set and then converting it into another string of data. The idea is that the converted version can’t be reverted back to the original.
If the password is hashed, what’s the risk?
Had MyFitnessPal kept the passwords in plaintext, that would’ve been a huge mistake: anybody with the stolen data would have the keys to a vast number of accounts. However, even with just email addresses and usernames, it’s possible to do some serious damage. That’s why MyFitnessPal users should be wary of potential phishing attacks.
With the knowledge that you’re a user of the Under Armour service, and of your email and your username, a hacker could put together a reasonably convincing message that looked as though it was coming from MyFitnessPal. Indeed, the fact that this hack is getting public attention means people are likely to be looking out for MyFitnessPal emails, and be more likely to open them, read them, and click on any links or attachments they include. That could end up leading to further data theft, if unofficial third-parties ask for more personal details like credit card numbers or SSNs, or see malware or spyware installed on their computers.
MyFitnessPal has already said that, in the emails it’s sending notifying users of the hack, there are no links or attachments. Nor do they ask for personal data. “If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information,” the company says, “the email was not sent by MyFitnessPal and may be an attempt to steal your personal data.”
I never signed up to MyFitnessPal, am I at risk?
Making the situation a little more complex is the fact that you might not have realized you were necessarily creating an account with MyFitnessPal specifically. Under Armour’s service works with a number of different fitness wearables from a variety of manufacturers. That includes Fitbit, Garmin, and more.
So what do I do next?
Top of your to-do list should be changing your password on MyFitnessPal. You can do that by logging into the desktop site with your username and password, clicking on the “My Home” tab, then “Settings” and finally “Change Password.” Strong passwords use letters, numbers, and symbols, but avoid personal information and common words.
As with any security breach like this, the broader risk is when you’ve use the same username and password across multiple sites and services. If that’s the case, take the time to go through them and change other passwords if necessary. This is probably a good opportunity to consider using a password manager like Keeper, 1Password, or LastPass.