MyFitnessPal data breach affecting 150 million users

SuperEd 21
Found 30th Mar
Personally don't use this but for those who do...

2918347.jpg

''Popular calorie-tracking app MyFitnessPal has suffered a massive data breach affecting roughly 150 million users.

Sports gear maker Under Armour revealed Thursday that its fitness application was hacked in late February, allowing an unauthorized party to access millions of users' information.

This includes usernames, email addresses, and 'hashed' passwords, which make it harder for a hacker to ascertain.''

---

Although hashed password are a lot harder to crack be very wise changing them ASAP

Apparently MFP have sent out emails but just incase and keep an eye out on any phishing attempts

Source
Community Updates
  1. Misc
Groups
  1. Misc
21 Comments
And what if you log in via FB
Just heard about this. Utterly pathetic it happened in February and they are only just telling us now.

I'm not really sure what anyone would want with my food diary. But feel a bit sorry for people who store ghastly progress pictures in the app!
I got the email yesterday - something about people using "hash passwords"
Thanks Under Armour for being so quick to inform everyone so soon idiots! Ps whats a hashed password? A typo?
Edited by: "MrDealio" 30th Mar
MrDealio5 m ago

Thanks Under Armour for being so quick to inform everyone so soon Thanks Under Armour for being so quick to inform everyone so soon idiots! Ps whats a hashed password? A typo?


Encrypted passwords.
just do what everyone does and change their password (add an extra number to the end or somert?)
A hashed password is encrypted, but the level of protection will depend on whether they added a randomisation element to the algorithm. Hackers will have lookup tables for very common passwords (123456, password1, etc) so reversing or matching the has for these will be trivial.

Change those passwords and if they are used across other apps etc. with the same username / email recommended that they be changed too...

New European privacy law that comes into effect in May will require companies to report breaches to regulators within 72 hours and to end users (depending on the impact / severity of the breach). I wonder if the emails sent by them were as a result of late discovery of the hack (many hacks are said to be undiscovered for between 100 to 200 days) or if it was due to bad PR etc.
Does this affect Map My Run (also run by Under Armour)?
Edited by: "jamie015" 30th Mar
Basically if you use the same password for anything else you need to change your password for that aswell.

I sorted mine back in Feb when this happened but only received emails yesterday and today.

I asked if it's all Armour products and was told better safe than sorry so changed them too.
arcangel1111 h, 32 m ago

I got the email yesterday - something about people using "hash passwords"



...as did these members of the MyFitnessPal Forums:

[ community.myfitnesspal.com/en/…age ]

MrDealio1 h, 30 m ago

Thanks Under Armour for being so quick to inform everyone so soon Thanks Under Armour for being so quick to inform everyone so soon idiots! Ps whats a hashed password? A typo?



There doesn't even seem to be an official announcement in any of the Forums!
fanpages2 m ago

...as did these members of the MyFitnessPal Forums:[ …...as did these members of the MyFitnessPal Forums:[ http://community.myfitnesspal.com/en/discussion/10655227/breach-of-data-message#latest ]There doesn't even seem to be an official announcement in any of the Forums!



I don't bother with the forums on there. I only just started using it on the recommendation of one of the PT's at my gym to monitor my calorie intake.. pretty good app too
MSK.1 h, 59 m ago

Just heard about this. Utterly pathetic it happened in February and they …Just heard about this. Utterly pathetic it happened in February and they are only just telling us now.I'm not really sure what anyone would want with my food diary. But feel a bit sorry for people who store ghastly progress pictures in the app!


I am not a user of the "app", nor do I have an account, but are (regular) activities & when/where they are undertaken logged (either manually or automatically) using on-board location facilities of the smart device where the "app" is installed?

[EDIT] I see from users in the Forums that automatic logging of events is a feature [/EDIT]

If any home address information is also stored in member profile information that may potentially has security implications.

Realistically the information gained is probably most useful to target serial eaters of certain food types or supplements with selective advertising to their member e-mail address.

Whether or not such e-mails are out to scam/phish, or simply to sell genuinely sell products the recipient does use is another issue though.


lukenewnham2 h, 1 m ago

And what if you log in via FB



Disconnect the "app" & the automatic Facebook log-in.
Change your passwords at Facebook.com.
Use another e-mail address for Facebook if you can.
It goes without saying that you should not be storing personal (contact) details in your Facebook profile anyway.

Establish if a pre-linked "MyFitnessPal" account can revert to a standard log-in (with user name/password combination); assuming you wish to continue using "MyFitnessPal".
Edited by: "fanpages" 30th Mar
Rudidudi2 h, 14 m ago

A hashed password is encrypted, but the level of protection will depend on …A hashed password is encrypted, but the level of protection will depend on whether they added a randomisation element to the algorithm. Hackers will have lookup tables for very common passwords (123456, password1, etc) so reversing or matching the has for these will be trivial.Change those passwords and if they are used across other apps etc. with the same username / email recommended that they be changed too...New European privacy law that comes into effect in May will require companies to report breaches to regulators within 72 hours and to end users (depending on the impact / severity of the breach). I wonder if the emails sent by them were as a result of late discovery of the hack (many hacks are said to be undiscovered for between 100 to 200 days) or if it was due to bad PR etc.


Wrong. A hashed password is not encrypted, it's hashed. This is like saying base64 is encryption. It's not, it's encoding.

A hash is a one way mathematical function. For example, you give it a string / password and it uses a set algorithm to turn it into a fixed length string (32,128,256bits) etc.

When you log in, it takes your password hashes it using the same function and compares it with the stored password.

An encrypted password is reversible by whoever holds the key, this would mean comparing a plaintext password and a decrypted plaintext password, a waste of time and effort.

In addition to hashing, there's salting, which pads your password with something unique to that record, for example your date of sign up. This strengthens the hash if there's a fixed sequence that isn't known to an attacker.

Invest time and effort into using a password manager like last pass or have your own method of generating a password.

Color of logo + first 5 of username + fixed password + website address

Would turn hot UK deals into yellow+easto+somePa55w0rd+hukd.co.uk

Much more secure than your 8char passwords you're probably struggling to remember. Unique for each site, but if somebody works out your algorithm there's a risk of a targeted attack. These are fairly uncommon for general internet use...
fanpages51 m ago

I am not a user of the "app", nor do I have an account, but are (regular) …I am not a user of the "app", nor do I have an account, but are (regular) activities & when/where they are undertaken logged (either manually or automatically) using on-board location facilities of the smart device where the "app" is installed?[EDIT] I see from users in the Forums that automatic logging of events is a feature [/EDIT] If any home address information is also stored in member profile information that may potentially has security implications. Realistically the information gained is probably most useful to target serial eaters of certain food types or supplements with selective advertising to their member e-mail address. Whether or not such e-mails are out to scam/phish, or simply to sell genuinely sell products the recipient does use is another issue though.Disconnect the "app" & the automatic Facebook log-in.Change your passwords at Facebook.com.Use another e-mail address for Facebook if you can.It goes without saying that you should not be storing personal (contact) details in your Facebook profile anyway.Establish if a pre-linked "MyFitnessPal" account can revert to a standard log-in (with user name/password combination); assuming you wish to continue using "MyFitnessPal".


It doesn't use location itself, as far as I am aware. But is does import that information from Google Fit, Fitbit etc. There are quite a number of connected apps.

I'm pretty disgusted with how little they have done. I expect I may switch to Lifesum, just because I cannot fathom how it's taken them so long to admit this and they have sent out no communication to users themselves about the issue at all. No e-maill, nothing on the blog or social media.

It's going to be frustrating because I have such a large database of my own recipes over there, but I don't think I can carry on given how they have handled this.
I bet fat people are laughing into their cake reading about this
MSK.1 h, 43 m ago

It doesn't use location itself, as far as I am aware. But is does import …It doesn't use location itself, as far as I am aware. But is does import that information from Google Fit, Fitbit etc. There are quite a number of connected apps.I'm pretty disgusted with how little they have done. I expect I may switch to Lifesum, just because I cannot fathom how it's taken them so long to admit this and they have sent out no communication to users themselves about the issue at all. No e-maill, nothing on the blog or social media. It's going to be frustrating because I have such a large database of my own recipes over there, but I don't think I can carry on given how they have handled this.


OK, not as much of a personal security risk then if connected fitness "wearables" are supplying data to the database used by the "app".

Also from the Forum thread I quoted above, it seems days have gone by since an official announcement was made by the Company (& that was almost a month after the breach occurred) before e-mails were sent to users.

The e-mails did not make any kind of apology either. Maybe that is a US-centric approach to reduce mitigation & expensive lawsuits.

Yes, if your "app" allows exporting of the data to another format for subsequent import elsewhere, that may be worth considering.

It doesn't sound like you lost any specificially personal information though.
fanpages30th Mar

OK, not as much of a personal security risk then if connected fitness …OK, not as much of a personal security risk then if connected fitness "wearables" are supplying data to the database used by the "app".Also from the Forum thread I quoted above, it seems days have gone by since an official announcement was made by the Company (& that was almost a month after the breach occurred) before e-mails were sent to users.The e-mails did not make any kind of apology either. Maybe that is a US-centric approach to reduce mitigation & expensive lawsuits.Yes, if your "app" allows exporting of the data to another format for subsequent import elsewhere, that may be worth considering.It doesn't sound like you lost any specificially personal information though.


They finally sent me a notication via the app about this at lunchtime.
MSK.3 m ago

They finally sent me a notication via the app about this at lunchtime.



Perhaps you were not top of the list of 150 million
fanpages10 m ago

Perhaps you were not top of the list of 150 million


Hmm, it hadn't occurred to be queuing was an issue with notifications as well as e-mails.

Well, I am deeply upset they don't value me as a customer, what with my longstanding free not premium account. How very dare they.
MSK.3 m ago

Hmm, it hadn't occurred to be queuing was an issue with notifications as …Hmm, it hadn't occurred to be queuing was an issue with notifications as well as e-mails. Well, I am deeply upset they don't value me as a customer, what with my longstanding free not premium account. How very dare they.




Indeed. I would certainly think twice about upgrading to a Premium account now...

...and taking all your valuable data to another organisation (so you can lose it again).
fanpages9 m ago

Indeed. I would certainly think twice about upgrading to a Premium … Indeed. I would certainly think twice about upgrading to a Premium account now......and taking all your valuable data to another organisation (so you can lose it again).


I see what you did there
Post a comment
Avatar
@
    Text

    Top Discussions

    Top Merchants