Another day, another data breach – This time, hackers have hit Under Armour’s MyFitnessPal, a platform it bought in February 2015.
Under Armour Inc., has announced that it has been hit by a large-scale cyber attack in which hackers stole personal data from 150 million MyFitnessPal user accounts late February 2018.
In a statement, the Baltimore, Maryland based company said that it is unclear who was behind the hack but the stolen data include usernames, email addresses, passwords stored as bcrypt hashes.
The good news, however, no government-issued identifiers such as Social Security numbers or driver’s license numbers were stolen. Moreover, payment card data was also not impacted since the company processes customers financial data separately.
MyFitnessPal is a free smartphone app and website which tracks calorie, nutrition, diet, and exercise to determine optimal caloric intake and nutrients for the users’ goals. Under Armour Inc., bought MyFitnessPal in February 2015 for $475 million.
The company is notifying users through in-app messaging and email urging them to change their passwords immediately. The incident is being currently investigated by the law enforcement authorities.
More: Strava’s Global Heat Map Exposes User Locations Including Military Bases
In an in-depth analysis Engin Kirda, Lastline co-founder and Chief Architect, Ph.D., and Northeastern Professor answered questions surrounding the MyFitnessPal breach.
Question: The investigation indicates that the affected information included usernames, email addresses, and hashed passwords. How valuable is this information to hackers compared to other info like SS numbers and credit card details?
Engin: Usernames, email addresses, and hashed passwords are valuable sensitive information for attackers. Having the hashes means that attackers can launch offline brute-force guessing attacks against these passwords and potentially crack many of them as users are often notoriously bad in choosing good passwords. Email addresses are valuable for spammers because the attackers would know that active, real users are behind these addresses.
Question: Where will the hackers look to sell this data and make a profit?
Engin: The dark web is usually where data like this is sold to the highest bidder.
Question: Does this remind you of any other major data breaches?
Engin: It reminds me of the Sony hack several years ago, when Sony also lost similar information belonging to many of their customers.
Orbitz breach
The news of MyFitnessPal breach came days after Orbitz breach, a travel website that suffered a massive data breach in which personal data of 800,000 registered users was stolen. The similarity between both breaches is that Orbitz was bought by Expedia Inc., in September 2015.
Before Orbitz, PayPal’s TIO Networks suffered a data breach in which personal data of 1.6 million customers was stolen. PayPal bought TIO Networks in July 2017 for $233 million (€196m).
According to Mike Schuricht, VP Product Management, Bitglass: “Any organization that is acquired by or is acquiring another business and its IT assets typically have a major blind spot with respect to its legacy or non-production systems.”