The MyFitnessPal virtual health and wellness assistant has copped to a data breach affecting 150 million accounts; hackers made off with user names, email addresses and bcrypt-hashed passwords.
While details of how hackers exploited the accounts are still emerging, this appears to be the largest data breach of 2018 to date.
The intrusion occurred in February, but the Under Armour–owned company said in a notice that it wasn't aware of the breach until March 25. Fortunately, the affected data did not include Social Security numbers or driver's license numbers, because the app doesn’t collect that information; nor did it affect payment card data, which in another win for network segmentation, is collected and processed separately.
While the event thankfully doesn’t impact financial accounts, John Gunn, CMO at VASCO Data Security, pointed out that there’s an opportunity to up the ante on data security across the board.
“This event, like similar ones where credit-card data is not taken in a breach, demonstrates the value of enforcing security requirements,” he said, via email. “If businesses applied the Payment Card Industry Data Security Standards (PCI DSS) to all data and not just credit-card information, you would see a lot less personal information, such as user names, email addresses and passwords, getting into the hands of hackers.”
MyFitnessPal users are being required to change their passwords. In terms of mitigation, users should of course immediately do that, but they should also be aware that the information taken could be used for phishing attacks, which is where the real danger lies. Any user should avoid clicking on links in emails, social media posts or other messages that seem to have come from Under Armour or MyFitnessPal.
Also, if a user repurposes the MyFitnessPal password on any other websites, especially for banking accounts or similar websites, they should immediately change their passwords on those websites – and choose a different, strong password for each one.
“The reuse of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts,” said Lisa Baergen, marketing director of MasterCard-owned NuData Security, via email.