MyFitnessPal data breach: 150 million app users affected

Last week it was confirmed that the personal details of approximately 150 million users of Under Armour’s MyFitnessPal app were compromised after criminal hackers acquired usernames, email addresses and hashed passwords.

This is one of the biggest hacks in history and, although payment card data was not affected, app users are likely to be concerned.

What happened?

Fortunately, the majority of stolen passwords were hashed using the ‘bcrypt’ mechanism. This provides advanced protection against password cracking, as the process becomes incredibly time-consuming and resourceful.

However, Under Armour has admitted that a proportion of the stolen passwords were hashed using a very weak function called SHA-1. It is therefore urging users to change their passwords immediately.

Leading security researcher Troy Hunt has told the BBC: “To its credit, Under Armour appears to have made an announcement on this within four days, and its method of password storage is quite robust.”

He went on to say that this was a “vast improvement” compared to other high-profile data breaches, such as Equifax or Uber, that occurred last year.

What should you do?

If you are a MyFitnessPal user, Under Armour is taking the following steps:

  • Notifying users to provide information on how to protect their data (you should have received an email from MyFitnessPal notifying you of the breach).
  • Requiring users to change their passwords immediately.
  • Monitoring for suspicious activity and coordinating with law enforcement authorities.
  • Enhancing its systems to detect and prevent unauthorised access to user information.

It has also reminded users to avoid clicking on links or downloading attachments from such suspicious emails.

How could this data breach have been prevented?

Although Under Armour hasn’t provided any information about how the data breach was identified or how the criminal hackers got into the network, Wired.com has reported that “it could be the result of keeping too much IT work in-house rather than seeking out more specialised practitioners”.

No matter how secure you think your organisation is, in the current threat landscape, targeted attacks by skilled and persistent cyber criminals are now a worrying business reality for all.

Adopt a cyber resilient posture to reduce the impact of a data breach

Cyber resilience is a broad approach that encompasses cyber security and business continuity management: it aims not only to defend against potential attacks, but also to ensure your organisation’s survival following an incident.

Adopting a cyber resilient posture will help your organisation to:

  • Defend against potential attacks;
  • Respond to and recover from a successful breach;
  • Reduce financial losses;
  • Meet legal and regulatory requirements, such as the EU General Data Protection Regulation (GDPR);
  • Improve your organisation’s culture and internal processes; and
  • Protect your organisation’s brand and reputation.

Cyber Resilience Toolkit - ISO 27001 ISMS and ISO 22301 BCMSTake the first step towards achieving cyber resilience with IT Governance’s new Cyber Resilience Toolkit.

Combining our bestselling ISO 27001 ISMS and ISO 22301 BCMS toolkits, you will receive a comprehensive set of fully customisable project tools, templates, policies and procedures for an effective cyber resilience framework.

The toolkit will help protect your organisation’s information assets, and respond and successfully recover from an incident.

View sample policies and procedures from the toolkit >>