Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

MyFitnessPal data breach exposes email addresses, passwords of 150M accounts

Last updated

Under Armour's popular health and nutrition app and corresponding website MyFitnessPal was hit with a security breach in February that exposed the usernames, email addresses and passwords of about 150 million users, the company said on Thursday.

Under Armour began notifying users affected by the issue today via email and in-app notifications, according to a press release. Along with standard security recommendations, Under Armour will require users to reset their passwords in the near future.

The fitness firm said it discovered evidence of the breach on March 25, saying a third party gained unauthorized access to approximately 150 million user accounts in late February. A subsequent investigation into the matter suggests the nefarious actor or actors made off with information including usernames, email addresses and passwords, many of which were secured with the bcrypt hashing function.

Not included in the data stash was government-issued identifiers like Social Security numbers and driver's license data, as MyFitnessPal does not collect such information from its customers. Payment data was also not affected since the firm collects and processes those particulars separately.

Under Armour said it is working with data security firms in the ongoing investigation. Whether the breach impacted the company's other digital brands, including running and cycling tracker Endomondo and Map My Run, is unknown at this time.

One of the oldest apps on the iOS App Store, MyFitnessPal is an immensely popular calorie and activity monitoring tool that has garnered millions of users over 13 years of service. The title consistently maintains a spot in Apple's top charts for free Health & Fitness apps, and sits in the No. 2 position as of this writing.

Under Armour purchased MyFitnessPal in 2015 in a deal worth $475 million. At the time, reports indicated the app boasted 80 million registered users.



11 Comments

macseeker 8 Years · 541 comments

appleric said:
No response from them yet.

Same with me. But just to be safe, I changed my password.

StrangeDays 8 Years · 12986 comments

Greeaaaat...this one predated my use of the safari password generator feature. 

netrox 12 Years · 1510 comments

Ok, why are so many companies having their data breached? Don't they follow protocols? Do they implement pattern algorithms that can detect if the data is illegally used? This really makes no sense. A company should be alerted if there's an unusual large volume of personal data being transmitted. Something is really fishy with those companies having their large volume of user data breached to a few people. 

foggyhill 10 Years · 4767 comments


If they use bcrypt and did not use common password or very short ones, people are mostly ok I beleive, but for common passwords,  they can deduce the hash by just doing a forward hash with the salt and sea if it matches the common ones, and then try it on other sites were you use the user name with the same password, like facebook, etc.

That's why it's not a good idea to use short idiotic passwords and reuse passwords, essentially on things that are used to log into other sites (like fb and google) and site that are critical (banking, etc).