The American sports gear maker Under Armour has accepted that as many as 150 million MyFitnessPal users account is affected with data breach which is believed to have happened in February or before. MyFitnessPal is a free smartphone app and website that tracks diet and exercise to determine optimal caloric intake and nutrients for the users' goals and uses gamification elements to motivate users. It was acquired in 2015 by Baltimore-based firm for $475 million and thereafter became an integral part of the company's connected fitness division, whose revenue last year accounted for 1.8 % of Under Armour's $5 billion in total sales.
In a statement Under Armour said that on March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. “The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.”
Company informed that it was working with a data security firms to assist in its investigation, and also coordinating with law enforcement authorities. The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.
Under Armour said that the affected data did not include government issued identifiers such as Social Security numbers and driver's license numbers which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately.
Company said that four days after learning of the issue, it began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.