Under Armour has started notifying users of the MyFitnessPal app of a security breach that took place in late February 2018, and during which hackers made off with the personal details of nearly 150 million user accounts.

The company said it only discovered the breach four days ago, on March 25. Under Armour is still investigating the incident together with data security firms.

The hackers made off with usernames, email addresses, and hashed passwords. The passwords were protected with bcrypt, a secure hashing function.

No payment card data exposed

Payment card data was not exposed because it was “collected and processed separately,” said Under Armour in a data breach notification sent to the California Office of the Attorney General.

But even if bcrypt is considered a secure password hashing function, Under Armour is now asking all MyFitnessPal users to change their account passwords, just to be on the safe side.

The biggest danger is that MyFitnessPal users might see an increase in spam in the coming days, as the stolen data is not useful besides adding users’ emails to spam lists.

Under Armour warns of phishing and scam attempts

The company is also warning users to not fall victims to phishing scams that may leverage the “security breach” to lure users on phishing sites.

Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails.

Under Armor has also shared a copy of the email affected customers will receive.

MyFitnessPal is an app that helps users track diet and exercise plans. Under Armour acquired MyFitnessPal in February 2015.