Approximately 150 million users of the MyFitnessPal app for Android and iOS devices were compromised as part of a security breach that occurred in late February, Under Armour announced Thursday, having revealed it’s presently in the process of notifying all of its customers that it suspects had their data accessed by an unauthorized third party last month. The app and web service that the Baltimore, Maryland-based tech and apparel company acquired in early 2015 has apparently been hacked, with unidentified attackers obtaining information such as email addresses, usernames, and hashed passwords, most of which have been collected together with the bcrypt hashing function, meaning they were still scrambled, though Under Armour will be asking all possibly affected individuals to change their passwords immediately.
Government-issued information like driver’s license and social security numbers hasn’t been compromised given how Under Armour doesn’t collect such data. Credit card and other payment-related information is also safe because it is collected and processed by the company separately, presumably through an additionally secured third-party service. The exact scope of the incident has yet to be determined as Under Armour continues investigating the matter. The firm said its security team became aware of the breach on Sunday, March 25, without divulging how the evidence of the attack has been discovered. The company isn’t conducting the probe on its own but has already hired a number of data security firms to support it in assessing the situation, having already notified authorities of the development and started cooperating with their own investigation.
MyFitnessPal users that may have been affected by the breach received or will soon receive a number of recommendations meant to ensure their digital data remains safe, the firm said. Immediately changing one’s password is likely to be at the top of Under Armour’s suggestions. The disclosure of the incident comes two months after another fitness service — Strava — accidentally leaked information on U.S. military personnel movements in certain conflict territories around the world, with the new ordeal also being significant in the context of the widespread data privacy debate that’s currently taking place on a global level following Facebook‘s Cambridge Analytica scandal.