One of the long-cherished fears about our wearable data-tracking habits is that the vast collection of information would be accessed by hackers. From 2013, the quantified self-motion gained momentum. With Apple Watches on our wrists and apps like RunKeeper on our phones, we keep track of when we go to bed, what food we eat, what medicines we take, and what routes we drive on our doorstep. Online thieves have already targeted Fitbit owners to cheat the wearable manufacturer, and healthcare companies have been the target of numerous hacks in recent years. The popular nutrition and fitness tracking app MyFitnessPal has become the latest service – and one of the first in the health and activity monitoring area – to show that their data has been retrieved in a hack.
Under Armor announced Thursday that around 150 million users of the MyFitnessPal app may have been affected by a February breach of privacy. Under Armor said she learned of the injury last Sunday after realizing that an unauthorized party was accessing MyFitnessPal's data. Information such as usernames, e-mail addresses, and hash passwords may have been obtained. Payment information was not involved. MyFitnessPal tells affected users to be notified about the security breach by changing their passwords and recommending that they change passwords for all other accounts that contain similar information. At this point MyFitnessPal seems to have avoided a worst-case scenario – the app contains a wealth of diet, fitness and exercise statistics, but Under Armor has not indicated that information has been compromised.
When the activity tracking app Strava accidentally uncovered the locations of secret military bases via their data-laden heatmaps, she sent waves through the fitness room. "[A] A Fitbit can inadvertently become a farmer in an unexplored world of collective data," wrote Vox. Users have rethought their activity in such apps – or at least their privacy settings on them. The Strava incident highlighted the dangers that could purposely constitute public data for personal and national security and made users question whether that was such a good idea. The entire fitness app industry depends on people sharing their personal metrics. If they can not trust these data to be safe and used properly, the industry could collapse.
We still do not know how the data was violated. With 150 million affected users, this is one of the biggest known violations. It's worth noting that passwords, as shown by an RSA survey, are one of the most consumer-friendly information in the US. Under Armor and MyFitnessPal seem to have some good data practices: billing information was kept separate from general user information stored separately from user-uploaded app data. Under Armor also seems to have responded quickly when it learned of the infringement and a few days later notified the users and the public – a stark comparison to other companies like Uber, who hid their 2016 data breach by paying hackers. However, it is an important reminder that hacking is not a question of when. And it's an important reminder that all your personal information is susceptible to hacker attacks, no matter how trivial it looks. Our smartphones, wearables and apps are collecting millions of lives every day. Things like your calorie intake and step count may not be valuable to a hacker. But in conjunction with other information captured by a fitness tracker, such as where you worked or how long you were away from home, these insignificant data points can give you a valuable picture of who you are.