MyFitness Pal Breach Hits 150 Million: What to Do Now
150 million user accounts with MyFitness Pal, an app owned by Under Armour, were compromised by a late February data breach.
Athletic-apparel maker Under Armour announced late Thursday (March 29) that its MyFitness Pal smartphone app had suffered a data breach affecting 150 million user accounts.
Compromised personal information included usernames, email addresses and "hashed" passwords that were passed through a one-way encryption function.
What to Do Now
If you have, or ever had, a MyFitness Pal account (the app works in conjunction with Garmin, Fitbit and many other kinds of wearable devices), go to the MyFitness Pal website and change your password immediately, and change it on any other account where you used that password. Under Armour will be forcing all users to change their passwords anyway.
MORE: What to Do After a Data Breach
The good news is that a "majority" of the passwords were hashed with the very strong bcrypt function, which is virtually impossible to crack if it is properly implemented. The bad news is that the rest were hashed with the SHA-1 function, which hasn't been considered safe to use since 2005.
Under Armour also warned users to watch out for phishing emails pretending to come from Under Armour or MyFitness Pal, and noted that none of the legitimate emails will request data, have attachments or have any links other than to the FAQ.
How Did This Happen?
"On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018," an Under Armour press release said. "The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
No financial information, such as credit-card numbers, was included in the compromised information, and nor were Social Security numbers or drivers'-license numbers.
Under Armour will be directly notifying all MyFitness Pal users, a FAQ posted online stated.
Best Identity Protection Services
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.