No Under Armour: 150 million users’ data lifted from MyFitnessPal

No Under Armour: 150 million users’ data lifted from MyFitnessPal

NEWSBYTE US fitness giant Under Armour, which owns the MyFitnessPal application and community, has announced that the usernames, email addresses, and hashed passwords of 150 million users have been accessed in a mass data breach.

MyFitnessPal allows members to track their fitness and calorie intake via wearable devices and smartphones.

Separately stored payment details, driving licences, and social security numbers were not lifted by the hackers, according to the company.

“Once more unto the breach…”

Although announced last night, the breach reportedly occurred at the end of February and Under Armour has already taken steps to notify its members privately.

Speaking about the attack, Evgeny Chereshnev, founder and CEO of secure ID specialist Biolink.Tech said, “150 million hacked accounts is hugely significant, especially because most users use the same pairs of logins and passwords across multiple sites. Hackers will break the weakest point; in this case a fitness tracker database, and they can use this information to access users’ emails, social networks, and more.

“When users are notified about changing passwords following a breach, more often than not they do so in a predictable way, such as by adding a 1 or a ! at the end, but these algorithms are known by hackers. They use machine learning and AI too.

“Hackers can also match these stolen email addresses and passwords to other known databases of stolen credit card numbers, social security numbers, behavioural data bought from brokers etc. With this aggregated data, hackers can build up a detailed profile of a user.”

Internet of Business says

Paranoia aside, the breach has been reported as “another day on the internet” by some commentators, revealing that this pattern of behaviour has simply become part of normal life, in the wake of similar attacks on Adobe, Uber, LinkedIn, and many others in recent years.

The positive takeaway is that Under Armour didn’t store password data unsalted, unlike some other large organisations, including LinkedIn, which failed to secure their members’ details against unauthorised access. At least Under Armour had a modicum of under armour to cover itself, and has handled the breach well.

That said, global coverage of any mass data breach will cause significant brand damage in the short term, however well an organisation deals with the bad news.