Under Armour's popular health and nutrition app and corresponding website MyFitnessPal was hit with a security breach in February that exposed the usernames, email addresses and passwords of about 150 million users, the company said on Thursday.
Under Armour began notifying users affected by the issue today via email and in-app notifications, according to a press release. Along with standard security recommendations, Under Armour will require users to reset their passwords in the near future.
The fitness firm said it discovered evidence of the breach on March 25, saying a third party gained unauthorized access to approximately 150 million user accounts in late February. A subsequent investigation into the matter suggests the nefarious actor or actors made off with information including usernames, email addresses and passwords, many of which were secured with the bcrypt hashing function.
Not included in the data stash was government-issued identifiers like Social Security numbers and driver's license data, as MyFitnessPal does not collect such information from its customers. Payment data was also not affected since the firm collects and processes those particulars separately.
Under Armour said it is working with data security firms in the ongoing investigation. Whether the breach impacted the company's other digital brands, including running and cycling tracker Endomondo and Map My Run, is unknown at this time.
One of the oldest apps on the iOS App Store, MyFitnessPal is an immensely popular calorie and activity monitoring tool that has garnered millions of users over 13 years of service. The title consistently maintains a spot in Apple's top charts for free Health & Fitness apps, and sits in the No. 2 position as of this writing.
Under Armour purchased MyFitnessPal in 2015 in a deal worth $475 million. At the time, reports indicated the app boasted 80 million registered users.
11 Comments
No response from them yet.
Greeaaaat...this one predated my use of the safari password generator feature.
Ok, why are so many companies having their data breached? Don't they follow protocols? Do they implement pattern algorithms that can detect if the data is illegally used? This really makes no sense. A company should be alerted if there's an unusual large volume of personal data being transmitted. Something is really fishy with those companies having their large volume of user data breached to a few people.