The MyFitnessPal online fitness and nutrition website has suffered a data breach which affects up to 150 million customers. That is a few million more than the Equifax breach. Under Armour, the website’s owner, reported the breach yesterday. They have pushed out a notification on their website as well as to all affected customers of the MyFitnessPal breach and actually did so very quickly, which is pretty impressive. So far, it’s being handled a lot better than the Equifax omni-shambles.
Under Armour report that the MyFitnessPal breach included user names, e-mail addresses and hashed passwords (hashing is the way to scramble passwords).
This breach was detected last weekend, on 25th March. The data itself had been last accessed by the evil doers in February.
As part of the notification, Under Armour stated that they:
- are notifying MyFitnessPal users to provide information on how they can protect their data
- will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately
- will continue to monitor for suspicious activity and to coordinate with law enforcement authorities
- will continue to make enhancements to their systems to detect and prevent unauthorised access to user information
All good steps to be taken. I particularly applaud the engagement with law enforcement. As I stated in the post about the overwhelming attack which was detected earlier this month, businesses need to start reporting these criminal activities, so our own Garda Síochána can get better statistics which will support more funding for the Garda Cyber Crime Bureau.
Under Armour also provided the affected users with good advice:
- Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account
- Review your accounts for suspicious activity
- Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data
- Avoid clicking on links or downloading attachments from suspicious emails
I suppose it was too much to hope that they would give a suggestion that users should also start using two-factor authentication where possible. Hopefully one of the enhancements that they will make to their systems will be to introduce such a feature.
Have a watch of my short 10 minute video which tells you all you need to know about two-factor authentication: