150 million MyFitnessPal accounts compromised

Under Armour’s hugely popular fitness tracker, MyFitnessPal, has been hacked. If you’re one of the 150 million or so users of the app or website don’t panic, but do change your password.

If you use Facebook to log in to MyFitnessPal you do not need to change your Facebook password.

If you use your MyFitnessPal password on any other websites, change your password on those websites – choose a different, strong password for each one (consider using a password manager if that sounds too difficult).

Under Armour says it’s notifying users of MyFitnessPal about the breach. It’s possible that criminals will try to take advantage of this by sending malicious tweets or emails that look like they’ve come from Under Armour.

You can protect yourself by be being proactive: read Under Armour’s notice of data breach and check its account security FAQs.

Don’t click on links in emails that seem to have come from Under Armour or MyFitnessPal. The company has made a clear statement that it will not send emails with links or attachments about this issue:

Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal

If you need to visit MyFitnessPal use a browser bookmark if you have one, open your browser and type the address: https://www.myfitnesspal.com/ if you don’t, or just use the app on your phone.

The bad news

On 29 March 2018 Under Armour began informing users of MyFitnessPal that it has suffered a data breach at some point during the previous month:

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.

The data at risk are the credentials used to access MyFitnessPal accounts:

The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

Crooks have therefore had at least a month to send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).

That’s why it’s important that you change your password on your MyFitnessPal account, and any other accounts using the same password, without delay.

Since the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk.

MyFitnessPal is a fitness tracker that knows your name, address and age, and tracks your diet and exercise. That data that might not seem very important (and losing it certainly isn’t as important as losing control of, say, your banking details) but it is the kind of information that can be used to make social engineering attacks, such as phishing, more convincing.

The not so bad news

People, processes and software are imperfect and beaches can happen to anyone, even companies that take every reasonable precaution to prevent them.

The damage caused by a breach is in large part a matter of how well it’s been planned for and how it’s handled when it happens.

It’s not uncommon for more facts to come to light in the weeks and months following a breach, not least because companies are often still investigating them when they first notify customers.

With that caveat, Under Armour appears to have done a lot right:

  • The breach was identified reasonably quickly.
  • The notification was fairly prompt, clear and unspun.
  • The data affected by the breach is limited in scope.
  • Most passwords seem to have been properly protected.

The storage of passwords is particularly important – by hashing your passwords with bcrypt MyFitnessPal has given you a fighting chance.

The crooks haven’t got your password – they’ve got a hash of your password that needs to be cracked.

Cracking costs money (because it takes time and computing power) and bcrypt is designed to make seriously heavy weather of it.

How much resistance bcrypt puts up depends on how its configured (on the number of iterations it uses) and Under Armour have not provided that information.

Dean Pierce is a blogger who decided to have some fun cracking hashes that were leaked during the Ashley Madison data breach. His experience is instructive of how well bcrypt can defend your password after a breach if the iterations are dialled up.

Pierce set out to crack six million hashes using oclHashcat running on a $1,500 bitcoin mining rig (a very efficient setup for cracking passwords).

After five days and three hours of continuous number crunching he turned off his rig. He had cracked just 4,000 of the very worst passwords.

There’s a good chance that your MyFitnessPal password is still unknown, even though it was leaked over a month ago, which is why what you do today matters.

Change it now and you aren’t just making your account safe, you’re making sure any the time and money the crooks have committed to cracking your password was wasted.

Source: Naked Security