Leading sportswear brand Under Armour announced on Thursday that account details of approximately 150 million users of the company’s MyFitnessPal website and application were accessed by cyber criminals in February.
According to Under Armour, the MyFitnessPal team learned about the breach on March 25, following which the company informed law enforcement authorities about the breach and is now working with data security firms to investigate the breach.
Payment card details still secure
In a blog post on its website, Under Armour said that data accessed by unknown hackers included usernames, email addresses, and hashed passwords. However, the hackers were not able to gain access to personal or financial details of customers.
“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue,” it said.
Under Armour added that all affected customers were contacted four days after the incident was discovered and have been asked to change their MyFitnessPal passwords immediately in order to prevent cyber criminals from misusing their data.
What does this mean for affected customers?
The popularity of MyFitnessPal website and app has increased steadily over the past few years. Offering exercise and nutrition tracking, it’s user base rose from 30 million in 2012 to over 165 million in 2016. In 2015, the service was acquired by Under Armour in a $475 million (£338 million) deal, and the app can now sync with all fitness tracking devices retailed by Under Armour.
Commenting on the massive data breach suffered by MyFitnessPal, Evgeny Chereshnev, CEO and Founder of Biolink.Tech, said: “150 million hacked accounts is hugely significant, especially because most users use the same pairs of logins and passwords across multiple sites. Hackers will break the weakest point; in this case a fitness tracker database, and they can use this information to access users’ emails, social networks and more.
He warned that even if customers change their passwords, a number of them are likely to add one or two extra characters to their existing passwords which can be second-guessed by hackers using machine learning algorithms.
“Hackers can also match these stolen email addresses and passwords to other known databases of stolen credit card numbers, social security numbers, behavioural data bought from brokers etc. With this aggregated data, hackers can build up a pretty detailed profile of a user.
“If these hackers were able to match these stolen login credentials to the users’ actual fitness data, just imagine what could happen. Having this level of data would allow hackers to know that Mr Smith has a very specific and predictable pattern of behaviour. Fitness trackers don’t only track calories and the number of steps a person walks in a day; it also knows where people are and at what time. For hackers wanting to specifically target a certain person, this data is a gold mine,” he added.