Under Armour’s hugely popular fitness tracker, MyFitnessPal, has been hacked. If you’re one of the 150 million or so users of the app or website don’t panic, but do change your password.
If you use Facebook to log in to MyFitnessPal you do not need to change your Facebook password.
If you use your MyFitnessPal password on any other websites, change your password on those websites – choose a different, strong password for each one (consider using a password manager if that sounds too difficult).
Under Armour says it’s notifying users of MyFitnessPal about the breach. It’s possible that criminals will try to take advantage of this by sending malicious tweets or emails that look like they’ve come from Under Armour.
You can protect yourself by be being proactive: read Under Armour’s notice of data breach and check its account security FAQs.
Don’t click on links in emails that seem to have come from Under Armour or MyFitnessPal. The company has made a clear statement that it will not send emails about this that contain links or attachments :
Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal
If you need to visit MyFitnessPal use a browser bookmark if you have one, open your browser and type the address: https://www.myfitnesspal.com/
if you don’t, or just use the app on your phone.
The bad news
On 29 March 2018 Under Armour began informing users of MyFitnessPal that it has suffered a data breach at some point during the previous month:
On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.
The data at risk are the credentials used to access MyFitnessPal accounts:
The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.
The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.
Crooks have therefore had at least a month to send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).
That’s why it’s important that you change your password on your MyFitnessPal account, and any other accounts using the same password, without delay.
Since the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk.
MyFitnessPal is a fitness tracker that knows your name, address and age, and tracks your diet and exercise. That data that might not seem very important (and losing it certainly isn’t as important as losing control of, say, your banking details) but it is the kind of information that can be used to make social engineering attacks, such as phishing, more convincing.
The not so bad news
People, processes and software are imperfect and breaches can happen to anyone, even companies that take precautions to prevent them.
The damage caused by a breach is in large part a matter of how well it’s been planned for and how it’s handled when it happens.
It’s not uncommon for more facts to come to light in the weeks and months following a breach, not least because companies are often still investigating them when they first notify customers.
With that caveat, Under Armour appears to have done a lot right:
- The breach was identified reasonably quickly.
- The notification was fairly prompt, clear and unspun.
- The data affected by the breach is limited in scope.
- Most passwords seem to have been properly protected.
The storage of passwords is particularly important – by hashing your passwords with bcrypt MyFitnessPal has given you a fighting chance.
The crooks haven’t got your password – they’ve got a hash of your password that needs to be cracked.
Cracking costs money (because it takes time and computing power) and bcrypt is designed to make seriously heavy weather of it.
How much resistance bcrypt puts up depends on how its configured (on the number of iterations it uses) and Under Armour have not provided that information.
Dean Pierce is a blogger who decided to have some fun cracking hashes that were leaked during the Ashley Madison data breach. His experience is instructive of how well bcrypt can defend your password after a breach if the iterations are dialled up.
Pierce set out to crack six million hashes using oclHashcat running on a $1,500 bitcoin mining rig (a very efficient setup for cracking passwords).
After five days and three hours of continuous number crunching he turned off his rig. He had cracked just 4,000 of the very worst passwords.
There’s a good chance that your MyFitnessPal password is still unknown, even though it was leaked over a month ago, which is why what you do today matters.
Change it now and you aren’t just making your account safe, you’re making sure any the time and money the crooks have committed to cracking your password was wasted.
Claudia Koperski
If I change my Fitbit password is that the same thing as My Fitness Pal password? I can’t find how to change My Fitness Pal password
Mark Stockley
No, they’re not the same thing.
You can link the two by authorising your MyFitnessPal account to write data to your FitBit account (by selecting it under Apps at myfitnesspal.com) but they are quite separate.
You can log in to MyFitnessPal using the app or the website – https://www.myfitnesspal.com/. If you can’t remember your password change it using the forgot password facility – https://www.myfitnesspal.com/account/forgot_password
Cameron Price
If you login via Facebook (and therefore do not have an exclusive myfitnesspal password), does that mean your Facebook password could become compromised?
Mark Stockley
No, your Facebook password isn’t stored by (or ever touched or seen by) MyFitnessPal so the breach at MyFitnessPal doesn’t offer the crooks a route to your Facebook password. In fact, in this particular situation, you’re better off than the people who don’t do this.
When you log in via Facebook you’re authenticated by Facebook and Facebook then vouches to MyFitnessPal that you are who you say you are.
Anonymous
You have a typo, “beaches” should be “breaches”.
“People, processes and software are imperfect and beaches can happen to anyone”
Paul Ducklin
Fixed, thanks.
Rob
I’d like to think beaches can happen to anyone too. A more optimistic thought.
Techno
Such a large number of records being compromised suggests it was either an SQL injection attack, or a database administrator password was cracked, or obtained by social engineering.
Anonymous
I recieved an email from MyFitnessPal but I can’t recall ever joining. I have no other emails from them and I don’t have any apps of theirs installed on any of my devices. I do, however, have a FitBit. How do I find out if they have a password for me if I wasn’t even aware I had an account?
Mark Stockley
FitBit and MyFitnessPal are different things.
I suggest that you use the email address that Under Armour used to contact you to reset your password. If you don’t have an account then the reset won’t work. If you do have an account then the reset will both confirm the existence of the account and change your password.
https://www.myfitnesspal.com/account/forgot_password
If you don’t want the account then, after you’ve reset your password, log in and go to Settings > Delete account.
niazpardaz
nice post thank you
Toby
Love My Fitness Pal but am tired of Mac Cleaner Pro tring to download their cleaner on my Mac. They use different cover messages to get me to download Mac Cleaner Pro like Adobe update is available, this week its Mac Care found viruses on my computer. This only happens only when I’m using My Fitness Pal. website Please Fix ASAP.
Anonymous
I don’t remember joining my fitness. My bank informed me of this breach and advised me to change my passeords