MyFitnessPal Reveals Data Breach of 150 Million User Accounts

MyFitnessPal, owned by Under Armour, Inc. (NYSE: UA, UAA), notified users via email and in-app messaging that a data breach occurred at the company. According to the email sent to users, on March 25, 2018, MyFitnessPal learned that an unauthorized party acquired data from MyFitnessPal users during the month of February. The data included user names, email addresses and hashed passwords. MyFitnessPal said it is working with ‘leading data security firms’ to assist in the investigation, and they are coordinating their efforts with law enforcement.

[Editor’s Note: Under Armour said in a press release that it notified users of the breach on March 29. However, as a user, I didn’t receive my email notification until yesterday, April 9.]

MyFitnessPal said the affected data did not include social security numbers or drivers’ license numbers, which the company does not collect, nor did it include payment card information because that information is collected and processed separately. According to the Under Armour news release, approximately 150 million user accounts were affected by the data breach.

Specific actions being taken by MyFitnessPal include:

• Notifying users of the breach
• Requiring MyFitnessPal users to change their passwords immediately
• Monitoring for suspicious activity and coordinating with law enforcement authorities
• Making enhancements to their systems to detect and prevent unauthorized access to user information

The company also set up an FAQs page with more information about the breach and how users can learn more or get help with their MyFitnessPal account.

‘We take our obligation to safeguard your personal data very seriously and are alerting you about this issue, so you can take steps to help protect your information,’ said Paul Fipps, chief digital officer, in the email.

MyFitnessPal recommends that users do the following to safeguard their personal data:

• Change passwords for other accounts with a password similar to the one used on MyFitnessPal.
• Review accounts for suspicious activity.
• Be wary of unsolicited communications asking for personal data.
• Avoid clicking on links or downloading attachments from suspicious emails.

This news came out around the same time news was revealed about the Facebook data breach in which Cambridge Analytica allegedly stole data from 87 million Facebook users. According to Mashable, starting yesterday, users began seeing notifications at the top of their newsfeeds notifying them if their data had been stolen or misused by Cambridge Analytica. Facebook users will see one of two messages:

Insider Take:

Here’s another example of a massive data breach where the company learns of a breach, but takes time notifying users and the public. In its news release, Under Armour said it began notifying users four days after the breach, or March 29. If that’s true, that’s faster notification time than we’ve seen in other breaches. However, it seems that email notifications would be easy to send out, and based on my experience, it took more than two weeks for MyFitnessPal to notify me. Why did I just receive my notice on April 9? GDPR is on the right track requiring companies to do notifications within 72 hours. Perhaps the U.S. should consider adopting a similar regulation to help us better protect our data.