Security

After massive MyFitnessPal breach, firms should reconsider mobile fitness programs

A breach of the Under Armour-owned app affected 150 million user accounts.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A security breach of the MyFitnessPal mobile app, owned by Under Armour, affected the personal accounts of 150 million users.
  • As companies invest in mobile and IoT employee health initiatives, they must account for the added security risk.

Data from roughly 150 million user accounts of the health and nutrition app MyFitnessPal was compromised in a recent data breach, announced by parent company Under Armour in a Thursday press release.

According to the release, Under Armour became aware of a "data security issue" on March 25 dealing with the unauthorized acquisition of user data from a third party in late February 2018. Then, the release noted, the firm began investigating the issue and informing users through in-app messages and emails. A full copy of the message sent to MyFitnessPal users can be found on our sister site ZDNet.

Under Armour is working with data security companies on the investigation. Hackers were able to get usernames, email addresses, and hashed passwords that were secured with bcrypt, the release noted. However, they did not access payment card data and, because the firm doesn't collect government identifier data, they also couldn't access Social Security numbers or driver's license numbers.

SEE: Mobile device computing policy (Tech Pro Research)

The breach follows a recent revelation that running app Strava had accidentally unveiled the locations of hidden US military bases through the use of anonymous data collected on the app.

Such examples of what happened with both Strava and MyFitnessPal have obvious implications for consumer privacy, but they can affect businesses as well. As many organizations seek to improve employee health through wellness challenges, they often employed the use of a mobile app or connected fitness tracker. In doing so, they bring another potential attack vector into their organization.

For companies that are on top of their mobile and Internet of Things (IoT) security, this can be accounted for and mitigated. However, a recent Verizon report noted that 32% of companies will sacrifice mobile security in order to improve business performance, meaning that many companies may not be taking these risks seriously enough.

Organizations that want to use such apps and IoT devices for wellness initiatives must account for these in their security strategy. If a hacker could access usernames and passwords for employees on those apps, it's very likely that some of those passwords could match their corporate accounts.

Under Armour's investigation is ongoing, and the company will be requiring users of MyFitnessPal to change their passwords.

Also see

runner.jpg
Image: iStockphoto/Halfpoint

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox