Another day, another data breach. Actually, all data breaches aren’t created equally. I should say, another massive data breach. Urban Armour shared that on March 25 it discovered unauthorized access that exposed or compromised 150 million MyFitnessPal accounts.
MyFitnessPal is a popular fitness tracking app that has been around for a long time. It was founded in 2005 and enables users to monitor calorie intake and exercise. Urban Armour acquired MyFitnessPal about three years ago for $475 million.
Urban Armour deserves some credit for how quickly it has notified users and made the details of the incident public once the issue was discovered. It is not uncommon for companies to delay the inevitable by weeks or months. Once the General Data Protection Regulation (GDPR) goes into effect in May, that should solve that problem for the most part—but that’s another story. Kudos to Urban Armour for its response so far.
How Did this Happen?
A post on the MyFitnessPal site shares the details known so far and offers some guidance for affected users. It explains that Urban Armour is notifying all MyFitnessPal users to provide information about how to protect their data, requiring all users to change their passwords, working with law enforcement to investigate and continuing to monitor for suspicious activity, and exploring enhancements to help detect and prevent similar unauthorized access in the future.
“The details about how Under Armour was breached are not available yet, but it would not be surprising to find that the company is joining Yahoo, Uber, Equifax, and others who have been exploited via identity and access,” shared Tom Kemp, CEO of Centrify. “The traditional cybersecurity approach of ‘trust, but verify’ simply does not work anymore in today’s mobile-first, cloud-enabled world where employees can be anywhere and working on multiple devices.”
There aren’t any details yet, but there’s a good chance Kemp is right. Whether an attack is executed by a trusted employee or an external cybercriminal, it is most often done using valid, authorized user credentials. It isn’t enough to just try and guard the gate and keep unauthorized users out—there has to be a way to monitor what’s going on inside the network as well, and whether or not there is anomalous or suspicious activity to be concerned about.
Kemp explained, “The new mandate is ‘never trust, always verify.’ To protect against breaches that exploit weak or stolen credentials, companies need to adopt a Zero Trust Security model, which assumes that untrusted actors already exist both inside and outside the network. Then they must enforce that approach with next-gen access to verify every user, validate their devices, limit access and privilege, and learn and adapt to user behavior.”
“Unfortunately, we will continue to see large-scale breaches of the applications and services we rely on until security and privacy become board-level priorities,” cautioned Malcolm Harkins, Chief Security and Trust Officer for Cylance. “We need to think beyond the existing traditional view of security as yet another cost center and embrace next-generation security products that enable predictive prevention of attacks before they cause damage.”
The good news for those affected is that the only data that was exposed or potentially compromised was usernames, email addresses, and encrypted passwords. More sensitive—and potentially more harmful—data like Social Security numbers or driver’s license numbers are not collected by MyFitnessPal, and the bank and credit card details are collected and processed separately.
Urban Armour states that most of the passwords were encrypted with bcrypt—which is a relatively strong password hashing mechanism. However, some of the passwords were protected using a significantly weaker 160-bit hashing function, SHA-1.
“It’s remarkable the number of companies still storing credentials using insecure hashing algorithms, without salt, etc.,” declared Daniel Miessler, a Director of Advisory Services with IOActive. “Because this is opaque to the customer, users of these types of applications really need to assume this is the case, and that the site will be eventually compromised. We can limit the damage from these types of breaches simply by ensuring that when a hash for a site is compromised, it’s either too long/complex to guess or is only used for that one site.”
Neil Haskins, also a Director of Advisory Services with IOActive, agrees that one of the keys to password security—even when the passwords are encrypted and secure—is to use different passwords for each app, service, and website. “Interestingly in their defense, Under Armour states that the passwords are encrypted with strong levels of encryption. As we know, the vast majority of people use the same password for many of their accounts—be it Facebook, Instagram or MyFitnessPal. The risk here is that, should the bad guys work out the password, what damage could they do? if I know your username and password—the same ones you use for all your social media accounts and banking–what’s the worst that could happen?”
Fallout of the MyFitnessPal Data Breach
Under Armour addressed the issue quickly and the response so far is admirable, but that doesn’t mean there won’t be consequences. In the wake of disclosing the MyFitnessPal data breach, Under Armour shares have dropped as much as 4.6 percent so far.
“This breach is another proof point that organizations need to rethink security, as the traditional status quo is not working and the stakes for properly securing access to corporate resources and handling security incidents couldn’t be higher,” said Centrify’s Kemp. “In fact, a recent Ponemon study found that stock prices fall an average of five percent the day a breach is disclosed, and companies experience up to a seven percent customer churn. While I applaud Under Armour for quickly and effectively reporting the breach, it will likely displace consumer trust and potentially wipe out additional value quickly.”
The good news for Under Armour is that there generally doesn’t seem to be significant long-term impact. Companies like Target, Sony, and Equifax that have suffered major data breaches have all managed to rebound relatively unscathed. Only time will tell how this all plays out with Under Armour and MyFitnessPal.