This week, Under Armour notified MyFitnessPal users of a data breach that the MyFitnessPal team discovered on March 25.
MyFitnessPal users were notified of the security issue via email and through in-app messaging beginning March 29. The company’s notice recommends that MyFitnessPal users change their passwords immediately, and indicates that they’ll be requiring password changes for all accounts.
It’s also a good idea to change the password of the email address associated with that account as well, just to be safe.
The Breach Details
Here’s what happened: An unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018, impacting an estimated 150 million user accounts.
MyFitnessPal’s investigation shows that usernames, email addresses, and passwords were impacted—the majority, with the hashing function called bcrypt was used to secure passwords.
No government issued identifiers (e.g. Social Security numbers or driver’s license numbers) are collected on the website, so those aren’t at risk. Payment cards aren’t included either as those are collected and processed separately. The investigation is ongoing and additional information is available on the MyFitnessPal website.
MyFitnessPal says they’re continuing to monitor for suspicious activity, and planning enhancements to their current systems so they can detect and prevent additional unauthorized access to user information.
What to Do If You’re Part of a Breach
When hackers grab data from lifestyle sites like MyFitnessPal, they might not get Social Security numbers, bank-account info or credit card numbers—the types of data normally associated with identity theft.
But even just stealing your email address and some account information can make you more vulnerable to identity theft. That’s because this information can be bought and sold on the dark web long after the data breach happens. (You can run a free dark web scan here on Experian to see if your email address is compromised.)
And right after the breach, thieves typically move quickly via phishing scams, which use counterfeit emails to try to trick you into giving up personal info.
Here are a some of the tactics identity thieves can pursue when armed with data from a lifestyle site or app, and some thoughts on how to thwart them:
1. Bogus Security Alerts
When data breaches occur, responsible app makers and website providers notify affected members and typically advise (or require) them to change account passwords. Knowing this, identity thieves may send you a highly convincing email claiming to be from the breached company, with a link or embedded form that you can ostensibly use to change your password.
The thieves will ask for your old password in the process, and maybe even give you a chance to set up some new security questions and answers. If you fall for the trap, fraudsters can gain your password (which may provide access to payment info in addition to the breached account data).
They may also harvest information like your mother’s maiden name or the name of your first teacher, which can help them penetrate other online accounts.
2. Protect Yourself Against Phishing Emails
To shield yourself against this trick, keep in mind that legit password-change emails never use forms embedded in the body of messages. Instead, they link you out to a login page where you can enter your username and password.
And before you do that, double-check the page address to make sure you’re on the site you trust. Better yet, if you get a password-change email, don’t click anything. Instead, log in directly, via a browser bookmark or the service’s smartphone app, and change passwords that way.
3. Customized Scams
Aside from impersonating a breached company, cybercriminals can also use stolen lifestyle data to craft more convincing phishing scams. If they know you’re into running or cycling, or committed to weight loss or animal rights, for instance, the bad guys can frame their messages around those themes and hit you up with phony appeals for donations, subscriptions, and the like.
Scammers can get creative, targeting you with this information they’ve collected about you, so be on the lookout for a variety of scams. And keep in mind that email isn’t the only method of getting your attention—crooks may use phone or mail in addition to online methods to try to trick you into providing more information.
4. Don’t Reuse Passwords
Data stolen in a breach may include encrypted passwords. The thieves may (or may not) have the sophistication to decipher those passwords before users changed them. But the possibility that they could crack them points to the importance of using unique passwords for all of your various online accounts and app logins.
Doing so prevents a hacker from gaining access to all your online accounts by figuring out one password, and it saves you the hassle of scrambling to change all your account passwords any time one is compromised.
To help keep track of multiple passwords, consider using a password management product, such as the free password-tracking tool Dashlane, which is available for PC and Mac computers, and Apple and Android phones and tablets.
5. Protect Your Identity with Credit Monitoring and Alerts
If your personal info has been hijacked, constant vigilance goes a long way toward guarding you from scammers. But even greater protection is available.
By alerting you to any suspicious activity involving your online accounts, products like Experian IdentityWorks can help you stay focused on your favorite activities, and spend less time watching your back.
6. Special-Interest Data
Specialized websites, smartphone apps, and wearable devices that help you compile and share information about your activities, hobbies and self-improvement efforts can be fun and motivating.
The best of them can analyze data—from you and thousands or even millions of others who share your passion—and make suggestions to help you get more out of things you like to do.
Crunching all that user data also means storing the data, and the organizations behind these services are subject to cyber attacks just like financial-services companies. The MyFitnessPal isn’t the first app of its kind to be breached, and almost certainly won’t be the last.