Underwear's fitness apparel company said that 150 million users of the MyFitnessPal app were the victims of an infringement that revealed usernames, email addresses and hash passwords.
The company gave personal information such as credit card numbers and social security numbers were not part of the infringement. Under Armor purchased MyFitnessPal, a diet, nutrition and exercise tracking website and app, for $ 475 million in 2015
In a statement sent to customers on Friday, the company said on March 25, 2018, that Under Armor would hit in February In 2018 it became aware "An unauthorized party has collected data from MyFitnessPal user accounts."
"Four days after the issue became known, the company began emailing and informing the MyFitnessPal community about in-app messaging, which includes recommendations for MyFitnessPal users regarding the account security steps they take to protect them their information, "said Under Armor in a statement.
"What Under Armor did differently was that they immediately resolved the break, and they get a lot of credit for it," said George Avetisov, CEO of security firm HYPR. "It should prove that companies, whether or not they have regulatory enforcement, are bound by their customers and loyalty obligations to expose these violations as quickly as possible."
In comparison, it took four years for LinkedIn to discover its 1
"The information involved included usernames, e-mail addresses, and hash passwords-most of which are encrypted with the hash function that backs up passwords, according to an email sent to customers by Paul Fipps, Chief Digital Officer at Under Armor, signed.
Bcrypt is a 19-year-old security algorithm developed for hashing passwords based on Blowfish's symmetric block ciphering algorithm, which is considered secure and uses a technique called key stretching, the Brute
However, according to troy expert Troy Hunt, who runs the data leak repository HaveIBeenPwned.com, some of MyFitnessPal's data was protected by the SHA-1, an older, weaker hashing function.
"This shows what happened to Dropbox. It had about half of its hashes as SHA-1 and half of its hashes as Bcrypt, "Hunt said in his weekly video blog." What many companies do is they track a legacy hashing algorithm and time passes and they say "SHA-1 is not good anymore and we should use Bcrypt."
He argues that the window to Port Millions of SHA-1-protected credentials (if users log in consecutively) to Bcrypt are too long and let millions of credentials prone to cracking.
Under Armor did not want to say what percentage was saved only with SHA-1 He said it was a minority.
Fipps said that customers will have their passwords in the coming days
"As soon as we became aware of this, we quickly took steps to determine the nature and scope of the problem. We work with leading data security companies to support our investigations. We have also informed and coordinate with law enforcement agencies, "Fipps wrote to MyFitnessPal Users.
The MyFitnessPal breach is the biggest break of 2018 so far.
" This is an old story and shows that we still are not from the learn the last mammoth breach. The fact is, whether they are passwords or medical data, what these companies do is to place all this data in one place and create a single point of failure, "said Avetisov.
(This article has been updated 3 / 30/2018 at 2 pm ET with a brief statement from Under Armor)