How Under Armour’s App MyFitnessPal Got Hacked

  • By David Lukic
  • Published: Feb 01, 2021
  • Last Updated: Mar 18, 2022

MyFitnessPal is a fitness tracking app that was created in 2005, then in 2015, Under Armour purchased it for $475 million. On March 25, 2018, Under Armour alerted customers that a MyFitnessPal data breach had occurred, affecting 150 million accounts.

Under Armour wasted no time notifying the authorities and customers. Cybersecurity experts secured the app and are continuously monitoring for any unusual or suspicious activity. They also required every user to reset their password.

Although the hacker’s exact attack strategy isn’t clear, experts are speculating that it was due to a vulnerability in the security of the MyFitnessPal encryption functions and possibly the actions of an employee.

When was the MyFitnessPal Data Breach?

The MyFitnessPal data breach occurred in February of 2018. Under Armour wasn’t aware of the incident until late March but notified its affected parties at an above-average speed. Due to the application’s focus on fitness, hackers didn’t gain access to any forms of government identification.

Under Armour had already reset all affected user’s passwords, so essentially, the information is useless for accessing updated MyFitnessPal accounts. However, the information could be leveraged in other scams and hacking attempts.

What Information Did the Hackers Get?

A MyFitnessPal spokesperson reported that the attack compromised the usernames, email addresses, and hashed passwords of 150 million users. Notably, the application protected stored login credentials with encryption.

Doing so prevents criminals from immediately accessing users’ accounts since they need considerable time to decode each one. This gave MyFitnessPal enough time to notify their user base and get them to change their passwords.

The company clarified that sensitive government-granted details like Social Security Numbers, driver’s license information, and payment details weren’t lost. This happy note wasn’t due to extra safety measures in place. Rather, the application simply didn’t collect that type of information

MyFitnessPal Data Breach

Can MyFitnessPal Data Breach Lead to Identity Theft?

The information thieves stole in the MyFitnessPal data breach isn’t enough to immediately steal your identity. But that doesn’t mean you’re in the clear.

Basic identifiers, like what was stolen, is precisely the type of information cybercriminals use to launch phishing attacks and scams for identity theft. Stolen email addresses serve as a starting point for fake emails that lure customers into clicking a link or downloading malware that’ll steal confidential information.

Under Armour understands the possible phishing dangers and included it in their announcement. It reminded users that MyFitnessPal would never ask for their personal data or send emails containing attachments. Everyone should be wary of any invitation to click on a link since it may be an attempt to steal additional personal data.

Sometimes these links allow criminals to take control of your computer. This practice becomes far more severe if the criminal overtakes a professional device. Companies have lost millions from having their devices held hostage while hackers demand a ransom. This is called ransomware, and it is becoming very common.

Additionally, criminals may contact someone connected to you using the stolen information. Personal information like a full name or address can add credibility to their claim and make your friends more likely to fall for the scam.

What Caused the Under Armour Data Breach?

When the breach came to light, Under Armour announced that their passwords were protected with the bcrypt password-hashing function. Most experts consider bcrypt suitable for cybersecurity as it scales with computational power and hashes with salt.

Basically, the MyFitnessPal server transformed passwords into long strings of numbers and letters that could be rearranged nearly infinitely. One of the main selling points of bcrypt is that it'll remain relevant in the future. The system will hold up even if criminals can guess password combinations twice as fast.

This sounds good, but the company later stated that it didn't utilize bcrypt across the board. There were a large number of passwords that were protected with the outdated SHA-1 function.

SHA-1 hasn't been safe since 2005 and heavily fell out of favor by the decade's end. Well-funded attackers have the computational power to break it relatively quickly. While smaller operations may get away with using it, national-level corporations should have, at minimum, switched to the SHA-2 family long ago.

The Aftermath of the MyFitnessPal Hack

Some companies neglect to inform their users of a data breach for months. They try to put out the most significant fires and confidently announce that everything is under control. This approach hardly ever works and leaves consumers with a bad taste in their mouths.

Luckily, Under Armour announced their mistake in just four days.

Their quick response indicated upper management's strong sense of responsibility and consideration. It gave users time to respond before it was too late and allowed the company to steer the narrative without appearing self-serving.

Most companies' value experiences a sharp drop following a breach. For example, Target's stock fell 11 percent when it announced a breach in 2013 and didn't start to bounce back for a few months.

By comparison, Under Armour's stock fell a mere 4 percent in the days after its breach. However, it didn't need nearly as long to bounce back and was even up 9 percent a month later. 

What Happened to the Leaked Data?

The MyFitnessPal information didn't appear online for a long time following the breach. It was only after a year that the data popped up on the dark web.

It appeared alongside stolen information from 16 other websites for a grand total of 620 million accounts. The seller posted on the platform Dream Market with a listed price of $20,000. Since this was in 2019, the seller requested they be paid in bitcoin.

Despite the massive size of the MyFitnessPal breach, the most significant number of for-sale account information came from the 2019 Dubsmash attack. Reddit bought the video platform in 2020 after it had over 160 million accounts compromised.

The price was surprisingly low considering the amount of information for sale. The sale description claimed server information on various websites, including other big names like Whitepages and Coffee Meets Bagel

MyFitnessPal Hack

Under Armour's Class Action Lawsuit

Despite an objectively swift response, Under Armour still had a class action lawsuit filed against it. The plaintiff, Rebecca Murray, argued that MyFitnessPal was negligent in its security and violated multiple California laws.

The most notable of these laws was the state's regulations against deceptive business practices. Murray stated that her financial information was compromised despite Under Armour's claims that no credit card details were stolen. The lawsuit sought damages alongside a motion to compel Under Armour to enhance its security systems.

In response, Under Armour filed to dismiss the action and seek individual arbitration with Rebecca Murray as she agreed in the company's "Terms and Conditions of Use" agreement. After some deliberations, the case was dismissed on March 20, 2019.

How to Check if Your Data Was Breached by MyFitnessPal Hack

If you were a user of the MyFitnessPal data breach in 2018, you were affected. You should have received a notice from the app to reset your password. Additionally, MyFitnessPal posted a notice of the MyFitnessPal breach and also an FAQ page with answers to popular questions by customers affected by the MyFitnessPal data breach.

What to Do if Your Data Was Stolen by MyFitnessPal Breach

If you continued using the app regularly, by now, you have reset your password. While that’s a good start, it’s not enough to keep your identity safe. Just your full name and email address can be enough to break into existing accounts or open new ones.

Our suggested changes are:

  • If you used the same password for MyFitnessPal on other websites, change it immediately. 
  • Review your credit card and bank statements each month looking for any suspicious activity.
  • Get a copy of your credit report and sign up for credit monitoring (IDStrong.com does this for you).
  • Run a full antivirus scan of your computer.

Also, watch out for emails that look like they came from MyFitnessPal, but the links go to a fake or spoofed website. 

What to Do to Protect Yourself When Using Mobile Apps

Mobile apps like MyFitnessPal have become a big part of our daily lives. Fitness trackers are a great way to meet personal health goals and maintain an active lifestyle. Although these applications don’t store a lot of personally identifiable information (PII), what they do have is enough to take a criminal to the next step.

Depending on the app, it may collect and store a lot of personal information about you. Location trackers can even keep a record of the areas you visit frequently. This is how marketing profiles and personalized recommendations are made.

That information makes life more convenient at times, but it’s also at the mercy of the security on the server where it resides. The best way to protect yourself is by being careful and selective when giving out your personal details.

  • Trust only verified apps that have good reputations.
  • Use a distinct password for each app you use, never reuse the same one.
  • When creating passwords, make them long and strong (a combination of symbols, letters, and numbers). 
  • Install antivirus on your computer and run scans often.
  • Never open emails from someone you don’t know.
  • Do not click links in emails or download any attachments.
  • Always look for the “lock” symbol or https when visiting online app portals to make sure they are secured.

Creating and remembering the passwords to ten or twenty accounts is challenging. Taking advantage of a password manager makes things more manageable, and some of them also track suspicious logins. Most browsers have a plug-in that you can install immediately to enjoy a much safer online experience!

Data Breach of MyFitnessPal

 

About the Author
IDStrong Logo

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that much a ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

Latest Articles

What You Need to Know about the Delta Dental Data Breach

What You Need to Know about the Delta Dental Data Breach

Delta Dental is a dental insurance provider serving over 90 million Americans. It offers coverage in all 50 states, Puerto Rico, and Washington, D.C. The company was established in 1966 in California as part of the Delta Dental Plans Association.

What You Need to Know about the Hot Topic Data Breach

What You Need to Know about the Hot Topic Data Breach

Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees.

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close