In 2015 Under Armour bought MyFitnessPal website and app for $475 million, which provides nutrition and exercise functionality. It forms part of Under Armours connected fitness division, whose revenue last year accounted for 1.8 percent of the companies $5 billion in overall sales.
On 29 March 2018 Under Armour reported a data breach of their MyFitnessPal website and app that impacted 150 million user accounts.
Under Armour became aware of the massive breach 4 days prior to their announcement on the 25 March, but the breach is said to have occurred in late February through unauthorised access. Under Armour has not yet disclosed how the breach transpired and are still investigating the details surrounding the breach and identity of the unauthorised party behind the breach.
The data affected includes usernames, email addresses and hashed passwords (most hashed using bcrypt and some with SHA-1). Unfortunately, those hashed with SHA-1 (a weak and flawed function) are far more vulnerable. Resulting in some passwords being better protected than others, which is not good at all.
Under Armour has indicated that payment card data has not been compromised due to this data being processed separately. Additionally, government-issued identifiers (such as social security numbers and driver’s license numbers) were not affected as they do not collect or process this user data.
“The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords,” according to an email sent to customers signed by Paul Fipps, chief digital officer at Under Armour.
Under Armour came clean about the breach very quickly and notified users of the breach via email and in-app messaging, recommending that users change their passwords immediately and be cautious of any suspicious activity and communications asking for personal details.
Under Armour is working with data security firms to assist with the investigations and coordinating with law enforcement authorities. They are taking actions to protect their MyFitnessPal community by monitoring suspicious activity and making the necessary changes to their systems to enhance security.
The MyFitnessPal breach is the largest breach of this year, so far. It has impacted 150 million individuals and caused Under Armour shares to fall by approximately 2.5%.