In what appears to be the first major data breach involving a health-and-fitness-tracking app, Under Armour disclosed to its customers just a half hour after markets closed Thursday for a long weekend that MyFitnessPal, a fitness app owned by Under Armour, had experienced a breach that potentially exposed the user data of 150 million people.
The breach reportedly occurred in Feb 2018, and Under Armor became aware of it on March 25 and has been informing users.
The affected information includes usernames, email addresses, and hashed password, but did not include social security numbers, driver’s license numbers, or any payment card data.
The company said it's "working with leading data security firms to assist in its investigation" into how the "unauthorized party" came to acquire the data from MyFitnessPal. Unlike Equifax executives Under Armour said it learned about the hack earlier this week, and decided to go public right away. The breach occurred in February.
Under Armour, Inc. (NYSE: UA, UAA) today announced that it is notifying users of MyFitnessPal – the company's food and nutrition application and website – about a data security issue. On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.
Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities. The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.
The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.
Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.
There is a full FAQ here.
Just when Kevin Plank thought his company's stock was recovering.
Under Armour shares tumbled in after-hours trading, reflecting the seriousness of the breach.
Given all the attention being paid to corporate America's lax standards for safeguarding sensitive customer data, we wonder: Will Under Armour executives also be hauled in front of Congress next month?