Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on March 29, 2018

    MyFitnessPal breach compromises 150 million user accounts

    MyFitnessPal breach compromises 150 million user accounts
    Bryan Clark
    Story by

    Bryan Clark

    Former Managing Editor, TNW

    Bryan is a freelance journalist. Bryan is a freelance journalist.

    Under Armour began notifying users today about a data breach that compromised 150 million accounts on its popular lifestyle app, MyFitnessPal — a free calorie counter and exercise journal available on both iOS and Android. The company first learned of the breach today and acted quickly to notify users via both email and in-app notifications.

    The breach reportedly occurred during February of this year, and compromised user details like usernames, email addresses, and encrypted passwords.

    Under Armour states that the majority of the stolen passwords are encrypted with a hashing algorithm called “bcrypt.” While “bcrypt” is generally considered safe — meaning, hackers who gain access to databases containing these passwords can’t access them in plaintext — it is prone to implementation mistakes, as Ashley Madison users discovered during its 2015 breach.

    In an ideal implementation, the bcrypt algorithm is so slow and computationally demanding it would take centuries to decrypt user passwords — rendering them all but useless. In the Ashley Madison hack however, two implementation errors allowed researchers to crack more than 11 million of the passwords in just 10 days.

    For the time being, we have no reason to believe that Under Armour will be plagued by the same errors. That said, users should change their passwords immediately — a step which, according to a release by MyFitnessPal, should be forced on users in the coming days anyway.