Under Armour Admits 150 million MyFitnessPal Account Data Breach

Read Time: 2 min.

Significant volume of account data leaked, although passwords were hashed...

Perhaps it shouldn't come as a surprise, but wellness technology has always been a potential risk-in-waiting, but that potential might just have been realised.

Athletic apparel brand Under Armour has admitted that a data breach has exposed details of over 150 million MyFitnessPal users. The intrusion, thought to have taken place in late February, saw usernames, email addresses, and hashed passwords stolen by attackers. Although the attack occurred in late February, the company did not realise a breach had occurred until March 25.

Although that might seem like a long period between compromise and discovery, in fact the statistics are in Under Armour’s favour, with a recent report claiming that the average attacker dwell time (time between initial compromise and discovery) is 86 days. That report, the CrowdStrike 2018 Global Threat Report, also found that the average breakout time is around 1 hour and 58 minutes, that’s the average time for an intruder to begin moving laterally to other systems in the network.

Luckily for MyFitnessPal, the personal data leaked is limited to usernames, emails, and hashed passwords, and doesn’t include social security numbers or credit card information.

“ The investigation indicates that the affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords. Payment card data was not affected because it is collected and processed separately. The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately ”, said Under Armour in a press release.

Under Armour acquired the food and nutrition app MyFitnessPal in 2015 for $475 million, and has seen its user base nearly double over the last three years, according to reports. The company’s shares fell about 4 per cent in after-hours trading on Thursday after disclosing the issue.

In pure numbers terms, the breach slightly tops the July 2017 Equifax breach, that exposed about 147.9 million consumers, but the Under Armour data is much less valuable to criminals. It pales into insignificance compared with Yahoo’s 2013 breach, which eventually totted up to all 3 billion of its accounts being compromised.

Commenting on the biggest data breaches to date, Ilia Kolochenko, CEO High-Tech Bridge said: “ The biggest breach ever is very likely one that occurred without anyone ever knowing about it. Allegedly hacked elections or stolen military technologies are just the tip of the iceberg of unattributed attacks. The most professional cyber-mercenaries do their best to conceal even the fact of the breach, because once a breach becomes known, victims or law enforcement can allocate significant resources for investigation, even if legally they won’t be able prove who is the beneficiary of the breach. Therefore, the most detrimental hacks in terms of economic damage, including stolen intellectual property and billions of lost profits as a result, are likely to be unknown ones.

Individuals cannot really do much to keep their digital assets safe, except follow some common sense best-practices, such as keeping all their devices and software up2date, using strong and unique passwords, installing a free AV from a known vendor, and being very cautious about opening any incoming emails or digital messages they receive. ”

Meanwhile, a study from Venafi found that 79 per cent of healthcare professionals are concerned about the cyber security of their own healthcare information, in spite of 68 per cent believing that their organizations are doing enough to protect patient privacy and personal information from cyber attackers. This sense of conflict continued across the report, with a third of healthcare professionals believing that there is too much cybersecurity regulation in the healthcare industry, but an opposing 29 per cent stating there is not enough regulation...