MyFitnessPal data breach exposes email addresses, passwords of 150M accounts

By Mikey Campbell

Under Armour's popular health and nutrition app and corresponding website MyFitnessPal was hit with a security breach in February that exposed the usernames, email addresses and passwords of about 150 million users, the company said on Thursday.

Under Armour began notifying users affected by the issue today via email and in-app notifications, according to a press release. Along with standard security recommendations, Under Armour will require users to reset their passwords in the near future.

The fitness firm said it discovered evidence of the breach on March 25, saying a third party gained unauthorized access to approximately 150 million user accounts in late February. A subsequent investigation into the matter suggests the nefarious actor or actors made off with information including usernames, email addresses and passwords, many of which were secured with the bcrypt hashing function.

Not included in the data stash was government-issued identifiers like Social Security numbers and driver's license data, as MyFitnessPal does not collect such information from its customers. Payment data was also not affected since the firm collects and processes those particulars separately.

Under Armour said it is working with data security firms in the ongoing investigation. Whether the breach impacted the company's other digital brands, including running and cycling tracker Endomondo and Map My Run, is unknown at this time.

One of the oldest apps on the iOS App Store, MyFitnessPal is an immensely popular calorie and activity monitoring tool that has garnered millions of users over 13 years of service. The title consistently maintains a spot in Apple's top charts for free Health & Fitness apps, and sits in the No. 2 position as of this writing.

Under Armour purchased MyFitnessPal in 2015 in a deal worth $475 million. At the time, reports indicated the app boasted 80 million registered users.