Under Armour has taken steps to notify 150 million MyFitnessPal users of a data breach that might have affected their account information.
On 29 March, Under Armour published a statement announcing that it was working to notify approximately 150 million users of MyFitnessPal, a food and nutrition app and website for the American clothing manufacturer, about a digital security incident.
According to a dedicated company FAQs page, Under Armour detected the security issue on 25 March 2018 when it learned that an unauthorized party had viewed data pertaining to MyFitnessPal users’ accounts. The actor is thought to have exposed the usernames, email addresses and hashed passwords for 150 million users during the month of February.
The company used bcrypt to protect users’ passwords and SHA-1 to safeguard all other account information.
Under Armour writes on its FAQs page that the incident did not expose users’ other personal details:
The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.
After learning of the issue, the clothing manufacturer began notifying affected MyFitnessPal users about the breach. It’s urging them to change their passwords immediately. Those contacted by Under Armour can use these experts’ recommendations to create a strong password for their MyFitnessPal account.
The company is also recommending that users monitor their accounts for suspicious activity, exercise caution around unsolicited communications that request personal information from them and avoid clicking on suspicious links and email attachments.
In the meantime, Under Armour has said it will be monitoring for abnormal activity on its end while it works with law enforcement to figure out who’s responsible for the security issue and how they exploited it to access users’ information. It also announced its intention to bolster the defenses of its security systems when it comes to identifying instances of unauthorized access to user data.