Myfitnesspal, owned by Under Armour, is a calorie counter system that helps people lose weight. On March 25th, 2018 MyFitnessPal “became aware” that there was unauthorized acquisition of user data. Typically, “made aware” statements are indicative of a third party finding user data somewhere on the Internet but could include the result of an audit or malicious communication being detected.
The user data that was obtained by the attackers include usernames, email addresses, and passwords hashed with bcrypt. I’m glad to see that the bcrypt hashing algorithm was used because it is considered strong, and to my knowledge, hasn’t been broken even though it has been in use for over a decade.
MyFitnessPal did as most companies do where they learn that they were breached – hired a third-party incident response team to determine the scope of the intrusion. In addition to the incident response team, MyFitnessPal is working with law enforcement and data security firms to assist in the investigation. A data security firm is brought in to remediate the vulnerabilities that were used to gain unauthorized access.
Users have been provided guidance on how to protect their data, forced password changes are in effect, continuous monitoring has been deployed to gather more threat data for law enforcement, and vulnerability remediation is underway.