Fitness apparel firm Under Armour said 150 million users of its MyFitnessPal app are victims in a breach exposing user names, email addresses and hashed passwords.
The company said personal identifiable information such as credit card numbers and social security numbers were not part of the breach. Under Armour purchased MyFitnessPal, a diet, nutrition and exercise tracking website and app, in 2015 for $475 million.
In a statement sent to customers on Friday the company said on March 25, 2018 Under Armour became aware that in February of 2018 “an unauthorized party acquired data associated with MyFitnessPal user accounts.”
“Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information,” Under Armour said in a statement.
“What Under Armour did different was they came clean about the breach almost immediately. And they are getting a lot of kudos for this,” said George Avetisov, CEO of security firm HYPR. “It should prove that whether there’s regulatory enforcement or not, companies have a duty to their customers and fiduciary responsibility to reveal these breaches as soon as possible.”
By comparison it took LinkedIn four years to discover and disclose its breach of 117 million email and passwords. With Yahoo, it took three years to investigate and disclose a massive data breach of account information tied to 3 billion users. It took Dropbox four years to report details of more than 68 million user accounts that leaked in 2012.
“The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords,” according to an email sent to customers signed by Paul Fipps, chief digital officer at Under Armour.
Bcrypt is 19-year-old security algorithm designed for hashing passwords and is based on the Blowfish symmetric block cipher cryptographic algorithm. The algorithm is considered secure and uses technique called Key Stretching, designed to make brute force attacks more difficult.
However, according to noted breach expert Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, some of MyFitnessPal account data was protected by the SHA-1, an older, weaker hashing function.
“This echoes what happened with Dropbox. It had about half their hashes as SHA-1 and half their hashes as Bcrypt,” Hunt said in his weekly video blog. “What a lot of companies do is they have a legacy hashing algorithm approach and time goes by and they say ‘SHA-1 isn’t any good anymore and we should use Bcrypt.’”
He argues the window of time to port millions of SHA-1 protected credentials (as users log on one at a time) to Bcrypt is too long, leaving millions of credentials vulnerable to cracking.
Under Armour declined to say what percentage were stored using SHA-1, only saying it was a minority.
Fipps said customers will be required to change their passwords in the coming days.
“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” Fipps wrote to MyFitnessPal users.
The MyFitnessPal breach is the largest breach of 2018, so far.
“This is an old story and shows we are still not learning from the last mammoth breach. The fact is, whether it’s passwords or medical data, what these companies are doing is putting all these pieces of data in one place creating a single point of failure,” Avetisov said.
(This article was updated 3/30/2018 at 2 pm ET with a short statement from Under Armour)