About 150 million users of the MyFitnessPal fitness and nutrition app and website have been affected by a data security breach, the site’s owner, Baltimore-based Under Armour, announced Thursday.
The company learned four days ago about the breach, which included user names, email addresses and hashed passwords, which had gone through an encryption process.
“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018,” Under Armour said in a statement. “The company quickly took steps to determine the nature and scope of the issue.”
Under Armour has become the latest victim of hacker attacks against corporations and municipalities, including Equifax and Baltimore city. The city discovered a breach that shut down its automated 911 dispatch system on Sunday, the same day Under Armour said it learned of the MyFitnessPal breach.
The MyFitnessPal data did not include Social Security numbers, driver’s license numbers or other government-issued identifiers, which the app does not collect from users. The breach also did not affect payment card data, which is collected and processed separately, Under Armour said.
But security experts warn that hackers can use or sell password information to gain access to more sensitive personal information or break into other accounts.
The brand began notifying MyFitnessPal users Thursday afternoon, via email and through app messaging.
The company is urging app users to change their passwords immediately and also to change similar or matching passwords used elsewhere.
Under Armour could face a backlash from customers, one management consultant said.
“They’re known as a high performance brand, and a brand that’s going to protect and make you strong and make you better,” said Eric Schiffer, chairman of Reputation Management Consultants, based in Los Angeles. “Most customers would rather chew glass than have their accounts hacked, and Under Armour is at the end of the day responsible and is going to feel a blistering amount of heat because of it.”
Customers also may feel like the company waited too long to notify them of the breach, he said.
“Four days is an eternity to alert customers to protect themselves,” Schiffer said.
Under Armour said it is continuing its investigation, working with data security firms and coordinating with law enforcement authorities.
Under Armour acquired San Francisco-based MyFitnessPal for $475 million in February 2015, when it also acquired Endomondo, a fitness app based in Copenhagen, Denmark, for $85 million.