On March 29, 2018, Under Armour disclosed a breach impacting 150 million users of its health and nutrition app, “MyFitnessPal.” The breach is thought to have occurred in February 2018 and resulted in potentially compromised email addresses usernames and hashed (scrambled) [1] passwords. According to Under Armour’s FAQs page, some accounts were protected by a weaker encryption technique (known as SHA1). Payment information and government issued identifiers were not impacted by the breach. Under Armour is working with authorities and in the process of notifying all users and encouraging them to change their passwords.

Our take

Although a large number of users were affected, this breach is likely not catastrophic for Under Armour. Its use of hashing to protect passwords and other personal information likely limited major impacts to accounts with hashed passwords, although the same may not be true for accounts that implemented the SHA1 technique. Similarly, important unique identifiers like birthdates and credit card numbers were not affected. This breach is a reminder that daily-use consumer apps remain vulnerable to breaches, even when managed and funded reasonably well by companies like Under Armour.

[1] Is anyone else hungry?