MyFitness Pal Breach Hits 150 Million: What to Do Now

Athletic-apparel maker Under Armour announced late Thursday (March 29) that its MyFitness Pal smartphone app had suffered a data breach affecting 150 million user accounts.

This guy's had his MyFitness Band account hacked. Credit: Garmin

(Image credit: This guy's had his MyFitness Band account hacked. Credit: Garmin)

Compromised personal information included usernames, email addresses and "hashed" passwords that were passed through a one-way encryption function.

What to Do Now

If you have, or ever had, a MyFitness Pal account (the app works in conjunction with Garmin, Fitbit and many other kinds of wearable devices), go to the MyFitness Pal website and change your password immediately, and change it on any other account where you used that password. Under Armour will be forcing all users to change their passwords anyway.

MORE: What to Do After a Data Breach

The good news is that a "majority" of the passwords were hashed with the very strong bcrypt function, which is virtually impossible to crack if it is properly implemented. The bad news is that the rest were hashed with the SHA-1 function, which hasn't been considered safe to use since 2005.

Under Armour also warned users to watch out for phishing emails pretending to come from Under Armour or MyFitness Pal, and noted that none of the legitimate emails will request data, have attachments or have any links other than to the FAQ.

How Did This Happen?

"On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018," an Under Armour press release said. "The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident."

No financial information, such as credit-card numbers, was included in the compromised information, and nor were Social Security numbers or drivers'-license numbers.

Under Armour will be directly notifying all MyFitness Pal users, a FAQ posted online stated.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.