Under Armour says 150 million MyFitnessPal accounts breached

[ItsMitch]

Source: https://www.reuters.com/article/us-under-armour-databreach/under-armour-says-150-million-myfitnesspal-accounts-breached-idUSKBN1H532W

Athletic Apparel maker Under Armour has confirmed that 150 million MyFitnessPal accounts have been breached, the data stolen was names, email addresses and "scrambled passwords" (this concerns me as they don't mention if they was fully encrypted or not) 

Excerpt from Reuters

Quote

 

(Reuters) - Under Armour Inc (UAA.N) (UA.N) said on Thursday that data from some 150 million MyFitnessPal diet and fitness app accounts was compromised in February, in one of the biggest hacks in history, sending shares of the athletic apparel maker down 3 percent in after-hours trade.

The stolen data includes account usernames, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.

It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.

 

The firm said that they are working with law enforcement and only decided to inform their users yesterday of the breach (They knew 5 days ago). The company also went on to say they didn't know how exactly the hackers got in and out without triggering any security systems (Makes you wonder how secure it really was) and this is what their official statement was to the press when asked about should customers monitor their accounts.

Quote

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” the company said, adding that it was bolstering systems that detect and prevent unauthorized access to user information.

If you do happen to have an account with Under Armour,  CHANGE YOUR DAMN PASSWORDS

[Arika]

hang on

 

Quote

Social Security numbers

what the fuck does a fitness app need your SSN for?

[Dylanc1500]

My wife has an account with them and received an email from them yesterday to make her aware of the situation. So at least the made members aware pretty immediately.

 

Note: They didn't require her SSN. So I don't know what may have been different to cause the need (or lacktherof) for it.

[ItsMitch]

3 minutes ago, Sierra Fox said:

hang on

 

what the fuck does a fitness app need your SSN for?

That's a er-... that's a good point. No apps in the UK require my NIN (National Insurance Number)

[i_got_laid_by_a_dragoness]

This implies that people actually use MyFitnessPal? hahaha

[captain_to_fire]

29 minutes ago, SC2Mitch said:

this concerns me as they don't mention if they was fully encrypted or not

It's seems to be a shoddy encryption 

 

33 minutes ago, SC2Mitch said:

The stolen data includes account usernames, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.

It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.

 

I pity those people who have to include social security numbers and driver's license numbers. I own some Under Armour apparel but I bought them from a physical store. Time to change passwords I guess.

 

2 minutes ago, i_got_laid_by_a_dragoness said:

This implies that people actually use MyFitnessPal? hahaha

I do. It's one of the tools I used to drop 33 pounds of body fat years ago especially when my doctor asked me to limit my caloric intake to just 1800 calories a day.

[ItsMitch]

3 minutes ago, hey_yo_ said:

It's seems to be a shoddy encryption 

 

HTTPS is fully there.

[Ryujin2003]

42 minutes ago, Sierra Fox said:

hang on

 

what the fuck does a fitness app need your SSN for?

I my issue isn't necessarily why it would ask for your SSN.. But consumers would you give it to a Willy Nilly?

[captain_to_fire]

11 minutes ago, SC2Mitch said:

HTTPS is fully there.

My fitness pal is not encrypted unfortunately 

[Energycore]

Isn't myfitnesspal also the service that revealed the location of multiple top secret military bases from the US Army?

[Misanthrope]

57 minutes ago, Sierra Fox said:

hang on

 

what the fuck does a fitness app need your SSN for?

 

 

No but seriously joking aside that's a legit wtf moment.

[ItsMitch]

Just now, Energycore said:

Isn't myfitnesspal also the service that revealed the location of multiple top secret military bases from the US Army?

Nah, that's another stupid company. https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

[AnonymousGuy]

MyFitnessPal doesn't ask for your SSN or DL number.  That's just a boiler plate statement saying they weren't compromised...because they didn't exist in the first place.

 

Basically the hack doesn't affect me in any way as a user.  My payments were done via the Apple App Store so it's indirect, my email address is probably already in 500 publicly circulating databases, the password I used with it I only use for things that I don't give a shit about (all of my email  and banking and important logins use two factor and unique passwords).

[PhantomJaguarr]

I received an email from them today about this. I haven't used the app in a couple years and didn't transfer it to my new phone. I changed my password anyway, of course. Shame. Felt like I just dealt with the Imgur breach.