American sports apparel company Under Armour has announced massive data breach of 150 million of its MyFitnessPal app users. The breach has impacted user details including names, email addresses and hashed passwords.
According to Under Armour, users’ personally identifiable information such as social security numbers or credit card details were not affected by the breach. The apparel company acquired the MyFitnessPal application that tracks users’ diet, nutrition and exercise back in 2015 for $475 million.
Under Armour has released the statement on March 25, 2018, which noted that the company became aware of the breach in February, 3018.
Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information.
According to CEO of HYPR, George Avetisov, unlike other companies, Under Armour became very clear about the breach just after they have become aware of it.
What Under Armour did differently was they came clean about the breach almost immediately. And they are getting a lot of kudos for this. It should prove that whether there’s regulatory enforcement or not, companies have a duty to their customers and fiduciary responsibility to reveal these breaches as soon as possible.
When it comes to other companies, LinkedIn, for instance, took four years to detect and reveals its data breach that impacted 117 million emails and passwords; it took Yahoo three years to research and reveal its massive data breach that impacted over 3 billion users; finally, Dropbox disclosed its data breach of 68 million user accounts leaked four years.
According to Pay Fipps, Chief Digital Officer at Under Armour, “The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”
Bcrypt is a security algorithm designed 19 years ago in order to hashing passwords. Bcrypt is based on the Blowfish symmetric block cipher cryptographic algorithm and applies the Key Stretching method that can help to avoid brute force attacks. Bcrypt is considered as secured.
However, some of the MyFitnessPal app account data was secured by the SHA-1, which is considered as weaker and older than Bcrypt.
According to Troy Hunt, a researcher at HaveBeenPwned.com, “This echoes what happened with Dropbox. It had about half their hashes as SHA-1 and half their hashes as Bcrypt. What a lot of companies do is they have a legacy hashing algorithm approach and time goes by and they say ‘SHA-1 isn’t any good anymore and we should use Bcrypt.’”
Under Armour revealed that only the minority of data were stored using SHA-1, but did not indicate the percentage. In addition, consumers will need to update their passwords in the couple days.
“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” Pay Fipps noted in the statement.