Under Armour just informed its users that data from approximately 150 million MyFitnessPal diet and fitness app accounts were compromised. In the email from Under Armour, it indicates that on March 25, 2018, they became aware that during February an unauthorized party acquired data associated with user accounts. While the breach occurred in February, I am happy to see that they’re reporting it to users so promptly. At least it’s within a few days. Perhaps they are aware of what they shouldn’t be doing, thanks to a recent data breach? The stolen data includes account usernames, email addresses, and even passwords – albeit scrambled. The good news? Social Security numbers, drivers license numbers, and payment card data weren’t part of the stolen data.
Which means you need to go and change your password as soon as possible. This is still a serious data breach in terms of numbers. And if I’m being honest – it could have been worse. Larger hacks include 3 billion Yahoo accounts compromised back in 2013, and FriendFinder network had more than 412 million users’ data stolen back in 2016. And of course, who could forget Equifax?
While the breach itself didn’t include any financial data, hackers were still able to get a lot of email addresses, which can be of value to criminals. Back in 2014, some 83 million JPMorgan Chase customers’ email addresses were stolen. The data was then used in a pump-and-dump scheme in order to boost stock prices. So don’t think that because it was “just” email addresses, that it can’t be problematic.
Under Armour has stated that they will continue to monitor for suspicious activity and then coordinate with law enforcement authorities. It did take Under Armour four days to notify users of the breach, but like I said earlier, that is lightning speed compared to some other breaches as of late. Some might argue that you need to notify users immediately. And I agree, but we should keep in mind that it might take time for Under Armour to determine the severity of the breach. It would be premature for Under Armour to notify users of the breach if they didn’t understand the full scope. Is it just email addresses? Were the hackers, in fact, able to get Social Security Numbers? I think this is a safe route. Waiting months and months is irresponsible.
What we don’t know is how this happened. According to some security experts, it’s likely that the hacker had some kind of authorized user credentials. Scary, right? The world that we live in now has changed dramatically from a cybersecurity perspective. It isn’t enough to just try and guard the gate in order to keep unauthorized users out. Businesses now need to monitor what’s going on inside the network as well. Not only is that scary, but it’s also sad. Like I said, the good news is that it was only usernames, email addresses, and encrypted passwords. Which means, if you haven’t done so already you need to change your password. Heck, this might serve as a warning to regularly change your passwords.