Data Of 150 Million Fitness-Conscious Users Accessed in MyFitnessPal Breach

Hackers have again targeted those who wish to be fit and healthy. Under Armour, the company that owns the food and nutrition application MyFitnessPal, announced that someone had breached their systems and retrieved data on approximately 150 million health-conscious users. They noticed the intrusion at the end of March, but someone had actually committed the crime in February.

Under Amour acted fast by not only beginning to notify users within four days of finding the intrusion, but also added an in-app notification almost immediately with details of the incident. Kudos to them for acting so quickly. It’s recommended that all MyFitnessPal users change their passwords and change them for any accounts that use the same one. In addition, if you have any apps that connect to MyFitnessPal, such as the other related apps, MapMyFitness, for example, change those passwords too. Make sure to use passwords that include:

- At least one number
- At least one special character
- Upper and lower case letters
- At least eight characters

Make sure that every password you create for an online account is unique. Password reuse is a real threat and is being used successfully over and over. There is a method of brute force attack using passwords that were retrieved in some other way to see how many other sites can be accessed using the same credentials. It’s called credential stuffing.

When criminals know so much about a person, it’s easier for them to use it against us. For example, if they know your exercise routines or your favorite foods, they can very creatively craft a customized email and phish for other information. We have heard how important our data is these days, and so many organizations collect it and sell it. It’s easier than ever for our information to become weaponized data against us.

The information retrieved in this incident does not include payment card details, social security numbers, or driver’s license numbers. In fact, companies like this don’t even need most of that identifying information. Be very careful about what data you provide to companies. If they don’t need it, don’t provide it and MyFitnessPal most certainly does not need your social security number.

What was accessed were usernames, email addresses, and encrypted passwords. Even though they were encrypted, you should still change them.

Keep in mind that you should consider any data you post online as public information. So, if you list your fitness goals in this app, for example, it is possible that phishing email will arrive in your inbox with specifics related to that. Watch out for it and be especially wary of clicking links or attachments unless you are 100% certain that they are legitimate and/or that you are expecting to receive them. If you get a note that some super duper product will help you meet your goal of losing 30 pounds and you click a link to provide information, you may lose something. But it’s more likely to be information or money than pounds.

Stickley on Security
April 2, 2018