Under Armour confirmed late Thursday that a data breach has affected approximately 150 million MyFitnessPal accounts. The initial reports suggest that stolen data may include usernames, email addresses and hashed (not plain-text) passwords.

According to CNBC, the data stolen doesn’t include payment data such as credit cards, which is stored separately. Under Armour doesn’t collect more sensitive information such as social security numbers or driver licenses, so none of that information is at risk.

It’s not initially clear how long Under Armour has known about the data breach, how it occurred or when. Companies traditionally conduct at least a preliminary investigation to discover the size of the breach before warning customers, so it’s possible that sensitive information has been in the hands of hackers for months.

The best news from the breach is that Under Armour stored user passwords that were hashed, rather than plain text. That will make it more difficult for attackers to find the plain-text passwords, although it’s still far from impossible.

The biggest risk with a data breach such as this isn’t necessarily the immediate information that’s divulged, but rather what the username/password combos could give access to. Users have a well-documented habit of reusing usernames and passwords across websites, so a breach of MyFitnessPal could easily lead to bank accounts or any amount of sensitive information.

If you’re a MyFitnessPal user, you’ll likely want to change your password for MyFitnessPal as well as any other accounts that share the same password. Enabling two-factor authentication for any sensitive accounts will also make it harder for attackers to reuse your credentials.