Under Armour announced a massive data breach on Thursday that impacts about 150 million accounts on its popular MyFitnessPal nutrition and fitness tracking app.
The data breach took place in February. The stolen data includes usernames, email addresses and hashed passwords, Under Armour said in a statement to Reuters. On the other hand, social security numbers, driver license numbers and payment card data were not accessed in the breach, the company added.
Under Armour said it was working with both data security firms and law enforcement entities in the investigation. The activewear brand said it became aware of the breach on March 25 and began notifying users via email and in-app messages on Thursday.
MyFitnessPal is a popular diet and fitness app for both Android and iOS. It was acquired by Under Armour in 2015.
In an email to MyFitnessPal users, the company said that they doing a number of things to protect their user base — including notifying users, requiring password changes, and providing information on data protection.
Under Armour isn’t requiring password changes quite yet, but they are urging all users to do so immediately. In addition, MyFitnessPal said it would “continue to make enhancements to our systems to detect and prevent unauthorized access to user information,” the email reads.
Notably, the breach is the largest of 2018 thus far, and one of the largest breaches recorded to date based on the number of impacted user accounts, according to SecurityScorecard. Larger breaches include a Yahoo attack that compromised over 3 billion accounts.
And while no financial details were stolen, large databases of email addresses are typically valuable to cyber-criminals. Such email troves can be sold on the dark web and used to send out massive spam campaigns.
MyFitnessPal recommends that users change their passwords immediately, monitor their accounts for suspicious activity, and to be cautious of any unsolicited emails or communications that ask for personal data.
If you use the same password across multiple services, websites or accounts, it’s strongly recommended you go through and change them all — using unique passwords for each service and following the current best practices for strong security.