Fitness vendor Under Armour reported a massive data breach on March 29, impacting 150 million users accounts.
The data breach specifically involves users of Under Armour’s popular MyFitnessPal application, which provides exercise, diet and calorie counting capabilities. The company detected the breach four days ago and is now reaching out to users to inform them of the event.
“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018,” Under Armour stated in a press release. “The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.”
According to the initial investigation, an “unauthorized party” was able to get access to 150 million MyFitnessPal user accounts. Under Armour has not publicly identified the root cause of the breach.
“Once we became aware, we quickly took steps to determine the nature and scope of the issue,” an Under Armour list of frequently asked questions (FAQ) states. “We are working with leading data security firms to assist in our investigation.”
Password Hashing
The data taken in unauthorized access includes usernames, email addresses and hashed passwords. Rather than storing passwords in plain text, which is inherently insecure, hashed passwords are scrambled cryptographically. Under Armour specifically noted that it was using the bcrypt hashing algorithm to protect its user passwords.
The use of bcrypt for hashing passwords is not uncommon and has been cited by other breached companies in the past as a way to reassure users that their stolen hashed password databases cannot be easily re-used. In 2016, when Yahoo first reported its massive data breach impacting over 500 million account, the company emphasized its use of bcrypt.
Adult infidelity website Ashley Madison, also highlighted its used of bcrypt after its 2015 data breach impacted 37 million users. Following the Ashley Madison breach, multiple groups of security researchers attempted to de-crypt the hashed passwords, with limited success.
Credit Card Information
Of particular note in the Under Armour breach is fact that the attackers did not get access to any payment card information. The company noted that payment card data was not affected because it is collected and processed separately.
“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users,” Under Armour stated.
Next Steps
Under Armour has reported the breach to law enforcement and an investigation is currently underway. Users of the myfitnesspal app are also being contacted by Under Armour about the breach and are being advised that they will need to change their passwords. Users are being sent information on further steps they can take to protect their data.
While it’s currently unclear precisely how the attackers got access to the Under Armour user information, the company has pledged to do better.
“We continue to make enhancements to our systems to detect and prevent unauthorized access to user information,” Under Armour stated.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.