Under Armour Says 150 Million MyFitnessPal Accounts Were Hacked (fortune.com)

← Back to Stories (view on slashdot.org)

Under Armour Says 150 Million MyFitnessPal Accounts Were Hacked (fortune.com)

Posted by msmash on Thursday March 29, 2018 @10:50AM from the security-woes dept.

Under Armour said about 150 million user accounts for its MyFitnessPal nutrition tracker were breached earlier this year. From a report: An unauthorized party stole data from the accounts in late February, Under Armour said on Thursday. It became aware of the breach earlier this week and took steps to alert users about the incident, the company said.

41 comments

Min score:

Reason:

Sort:

PR speak by rmdingler · 2018-03-29 10:57 · Score: 1

It became aware of the breach earlier this week and took steps to alert users about the incident, the company said.
...took steps to alert users about the incident... sounds a whole lot less definitive, and somewhat shy of reassuring, than saying they "...alerted users about the incident..."

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
1. Re:PR speak by supremebob · 2018-03-29 11:44 · Score: 1
  
  Yeah, that's total bullshit. I actually had a MyFitnessPal account at one point, and this is the first I heard of the breach. I didn't even know that Under Armour owned them now!
2. Re: PR speak by BrianBeaudoin · 2018-03-29 12:15 · Score: 1
  
  I sure wasnâ(TM)t alerted. Glad I stopped uploading my data to it. I also realized Iâ(TM)ve still got my defunct Facebook account linked to a few services (including Slashdot) so I might as well unlink them while Iâ(TM)m at it.
3. Re:PR speak by Anonymous Coward · 2018-03-29 12:53 · Score: 0
  
  I received an email from them about it this morning. Seems pretty straightforward to me. If your account was "at one point" do you still check the email used to sign up for it?
4. Re:PR speak by Anonymous Coward · 2018-03-29 13:19 · Score: 1
  
  I used to use the same email and six character password for marginally useful web apps I didn't really care about. I got an email from facebook on Monday saying someone tried to access my account so I updated to a strong lastpass generated password but I was wondering what triggered the alert. It had to have been the myfitnesspal breach. I guess that's a good demonstration on why reusing short passwords is so dangerous. It's trivial these days to go through 150m salted passwords and reverse engineer all the easy ones with a dictionary attack.
5. Re:PR speak by nospam007 · 2018-03-29 18:34 · Score: 1
  
  "I received an email from them about it this morning. Seems pretty straightforward to me. If your account was "at one point" do you still check the email used to sign up for it?"
  Nobody sane uses a real name or a real email address for services like this.
6. Re: PR speak by danperc7 · 2018-03-30 00:28 · Score: 0
  
  I really need the world to know about a real one who helped me got proof of my cheating ex .hes really reliable and an expert at his job .contact hackdigg at gmail dot com or contact him on what's app through this number .+15185049376... or text his mobile number +15186284630.he can hack into what's app.facebook .text messages ,deleted text messages or any type of spying hacking related .tell him from Anita Email:hackdigg at g mail dot com Text num:+15186284630 What's app num:+15185049376
7. Re: PR speak by Anonymous Coward · 2018-03-30 08:01 · Score: 0
  
  Honeypot. Ignore.
another day.. by Anonymous Coward · 2018-03-29 11:01 · Score: 0

another data breech is disclosed.
film at 11.
if you assume... by zlives · 2018-03-29 11:02 · Score: 1

in this particular case you are not the ass.
assume if you have an online account it is or will be hacked. then decide what information to share and if online is worth it.
What If You Distributed Across 10 Systems? by dryriver · 2018-03-29 11:08 · Score: 1

So you have 150 Million users. That's a lot of people. Distribute them over 10 different systems, each with different OBSTACLES to being hacked in place - i.e. each needs to be hacked in a slightly different way for anyone to get inside. A successful hack of 1 system would mean only 15 Million are exposed at one time. If you detect the hack as it happens, you can quickly take the other 9 systems offline, make changes to security, and so on and so forth, possibly saving 135 Million customers records from exposure. Why would you store 150 Million credentials in ONE place, one system, one database or whatever to begin with? What part of a Fitness Tracking App needs access to 149,999,999 other user's data to function? Divide up your users. Make each system slightly different to access.

--
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
1. Re:What If You Distributed Across 10 Systems? by Lab+Rat+Jason · 2018-03-29 11:16 · Score: 1
  
  Uh... how about just distribute the accounts to the devices... all 150 million of them. Not everything needs to be connected these days.
  
  --
  Which has more power: the hammer, or the anvil?
2. Re:What If You Distributed Across 10 Systems? by WankerWeasel · 2018-03-29 11:39 · Score: 1
  
  Have fun setting up and managing 10 different systems. Enjoy having to bloat your app to be able to know how to work with 10 different systems rather than 1. Have a great time with different bugs across different systems. There's a reason companies don't do this.
3. Re:What If You Distributed Across 10 Systems? by Anonymous Coward · 2018-03-29 16:53 · Score: 0
  
  Why would you store 150 Million credentials in ONE place, one system, one database or whatever to begin with?
  Oh, I don't know. Maybe one attack vector with really great security vs 10 vectors with mediocre security?
4. Re:What If You Distributed Across 10 Systems? by fedos · 2018-03-30 01:19 · Score: 1
  
  Because you don't just use it from a single device,
unacceptable! by supernova87a · 2018-03-29 11:12 · Score: 5, Funny

Great, now Russian operatives know how many times I can squat 75 pounds before needing to treat myself to 3 cookies.
1. Re:unacceptable! by dryriver · 2018-03-29 11:20 · Score: 1
  
  42 times. You eat 4, not 3 cookies afterwards. And you wear underwear that is too tight when you squat. Na Zdorovie! =)
  
  --
  Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
2. Re: unacceptable! by Anonymous Coward · 2018-03-29 11:36 · Score: 0
  
  I am the Russians you mention. I want blackmail informations. You not celebrity. No interest in leaking you videos of you workouts in a pink thong.
3. Re: unacceptable! by dryriver · 2018-03-29 11:41 · Score: 1
  
  In Kardashian America, ANYONE working out in a pink thong IS a celebrity. If you really were Russian Intelligence, you would know that. You are Greek Intelligence posing as Russian Intelligence. You also have some Feta cheese in your mustache and a badly smudged lens on your webcam.
  
  --
  Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
4. Re: unacceptable! by Anonymous Coward · 2018-03-29 14:18 · Score: 0
  
  Russians doggy style. Greeks 6 centimeter higher.
5. Re:unacceptable! by Anonymous Coward · 2018-03-29 14:27 · Score: 0
  
  Last time you ate 4 cookies. I have the data to prove it!
6. Re: unacceptable! by Type44Q · 2018-03-29 15:02 · Score: 2
  
  6cm
  Taint that much.
7. Re: unacceptable! by Anonymous Coward · 2018-03-29 15:09 · Score: 0
  
  Russians doggy style.
  There was no verb in that sentence.
  
  Greeks 6 centimeter higher.
  There was no verb in that sentence, either. Consider revising so you form complete sentences, or intelligible thoughts.
150M accounts? by Khashishi · 2018-03-29 11:15 · Score: 2

How do they even have 150M accounts? Do 2% of people on Earth have MyFitnessPal accounts?
1. Re:150M accounts? by dryriver · 2018-03-29 11:35 · Score: 1
  
  Russian intelligence set up 133 Million fake MyFitnessPal accounts, so it could syphon Billions out of the U.S. economy. Except of course that the guy who filled in "Field Action Request Form 47-P-154-X-110-U-A-4" typed MyFitnessPal on the mechanical typewriter, rather than PayPal. Putin had him punished by having him thrown out of a plane over the Baltic, with a Sodomov A-47 mechanical fitness tracker shoved up his r*ctum.
  
  --
  Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
2. Re:150M accounts? by arth1 · 2018-03-30 02:10 · Score: 1
  
  How do they even have 150M accounts? Do 2% of people on Earth have MyFitnessPal accounts?
  Some probably have more than one account (forgot and created a new one, or wanted to start over fresh), but that number doesn't seem all that high.
  Mostly Americans too, I wager. These days, many health insurance companies and employees offer "incentives"[*] where you have to have a step tracker hooked up to their system. They often add support for catching data from some the more popular fitness tracking sites like Strava and MyFitnessPal. But Strava is really mostly for runners, so the average insurance paying American Joe and Jill are more likely to have a MyFitnessPal account.
  [*]: I.e. increasing the premiums for everybody, and then give "rewards" for those who participate to get them back to the normal price. This is designed to skirt regulation that prohibits discrimination based on pre-existing conditions. Alice with rheumatism and Bob with a bum knee won't ever walk 10,000 steps a day, so in effect, they end up paying more than young Charlie.
3. Re:150M accounts? by Anonymous Coward · 2018-03-30 02:15 · Score: 0
  
  How do they even have 150M accounts? Do 2% of people on Earth have MyFitnessPal accounts?
  Ever heard of this "tiny" global company called Under Armour? That might explain it.
  And the app itself works pretty damn well (largest database of food products I've found so far), which likely contributes to it's popularity.
4. Re:150M accounts? by Stud+McPeckChest · 2018-03-30 02:22 · Score: 2
  
  How do they even have 150M accounts?
  Under Armour seems to have purchased a whole herd of fitness sites and brought them together under them. I noticed that MFP, a cycling site and a running site I use (not with great results but I use them) all came under their control within the past few years. I also noticed a lot of overlap between the sites after the acquisitions so I am guessing that breaking into one system gave them access to everything. I actually kind of liked the homogeneity after the merges but this is the obvious downside.
Free Credit Monitoring For Life! by Anonymous Coward · 2018-03-29 11:31 · Score: 0

On the bright side, with the constant stream of high profile hacks, no need to ever pay for credit monitoring ever again. Free for life!
Companies should be held financially liable for data breaches. Doing so would discourage many companies from collecting more data than absolutely necessary.
Hacked ? by Anonymous Coward · 2018-03-29 11:45 · Score: 0

Call me paranoid but I'd be willing to bet someone in the Under Armor corporate structure received monetary compensation for providing valuable data to the so-called hacker. I'd also be willing to place money that the data ends up in the hands of a large scale Pharmaceutical corporation or two...
1. Re:Hacked ? by Anonymous Coward · 2018-03-29 15:00 · Score: 0
  
  Don't be. I'm sure some C-level already shorted their stock right before the announcement, and are laughing all the way to the bank right now.
My fitness? by Anonymous Coward · 2018-03-29 12:20 · Score: 0

We know for sure this doesn't affect creimer!
1. Re:My fitness? by datavirtue · 2018-03-29 12:56 · Score: 1
  
  Chris....is that you?
  
  --
  I object to power without constructive purpose. --Spock
2. Re:My fitness? by Anonymous Coward · 2018-03-29 14:07 · Score: 0
  
  No, not possible! Chris is busy fecalating his next video treat on YouTube, then he has to gain weight on a low-carb diet!
  After that he has to go check his 25 cashews sock pockets, check his side-business revenue streams, procrastinate at least 3 projects.
fat by Anonymous Coward · 2018-03-29 15:18 · Score: 0

Damn it. now the russians know how fat I am!!
H4X0rz plan backfires by Provocateur · 2018-03-29 15:38 · Score: 1

Damn, said the hacker. She's gonna know about my intimate apparel, AND my heart rate/stamina.

Next up:Victoria's Secret Mwahahahaha. The plot sickens; but you have to admire the equal-opportunity h4x0rz

--
WARNING: Smartphones have side effects--most of them undocumented.
Whaling by Anonymous Coward · 2018-03-29 19:05 · Score: 0

I believe smart people are stupid.
so what by AndyKron · 2018-03-29 23:11 · Score: 1

If I was a security guard and people came in and stole a lot of stuff I would be fired. Who's getting fired here?
1. Re:so what by arth1 · 2018-03-30 03:32 · Score: 1
  
  If I was a security guard and people came in and stole a lot of stuff I would be fired. Who's getting fired here?
  Probably sysadmins who repeatedly said that they had bad security and that changes were needed. Certainly not management who overrode their concerns because corporate security scanning software said everything was fine.
Here is today's attack not stopped by APK's work by Anonymous Coward · 2018-03-30 01:01 · Score: 0

So here is today's attack that was not stopped by APK's work. I'm sure he will be along shortly to tell everyone how it could have once someone updates a hosts file somewhere.