Under Armour began notifying users today about a data breach that compromised 150 million accounts on its popular lifestyle app, MyFitnessPal — a free calorie counter and exercise journal available on both iOS and Android. The company first learned of the breach today and acted quickly to notify users via both email and in-app notifications.
The breach reportedly occurred during February of this year, and compromised user details like usernames, email addresses, and encrypted passwords.
Under Armour states that the majority of the stolen passwords are encrypted with a hashing algorithm called “bcrypt.” While “bcrypt” is generally considered safe — meaning, hackers who gain access to databases containing these passwords can’t access them in plaintext — it is prone to implementation mistakes, as Ashley Madison users discovered during its 2015 breach.
In an ideal implementation, the bcrypt algorithm is so slow and computationally demanding it would take centuries to decrypt user passwords — rendering them all but useless. In the Ashley Madison hack however, two implementation errors allowed researchers to crack more than 11 million of the passwords in just 10 days.
For the time being, we have no reason to believe that Under Armour will be plagued by the same errors. That said, users should change their passwords immediately — a step which, according to a release by MyFitnessPal, should be forced on users in the coming days anyway.