This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

MyFitnessPal

Summary

MyFitnessPal, a popular nutrition and fitness tracking app owned by Under Armour, suffered a massive data breach affecting 150 million users worldwide, including approximately 4 million Australians. Discovered in March 2018, the breach exposed usernames, email addresses, and hashed passwords. As one of the world's largest fitness apps, the scale of the breach made it one of the most significant data security incidents affecting Australian consumers.

What Happened

In late February 2018, an unauthorised party gained access to MyFitnessPal's user database. The attackers accessed account information including usernames, email addresses, and hashed passwords (passwords that had been encrypted using cryptographic functions). The breach did not include more sensitive financial information like credit card numbers, as these were processed separately and were not stored in the compromised systems.

Under Armour detected the intrusion on 25 March 2018 and immediately launched an investigation. The company disclosed the breach publicly four days later on 29 March. The breach affected accounts created before late February 2018, spanning several years of user registrations.

Impact on Individuals

With approximately 4 million Australian users affected, the breach created several risks:

  • Account takeover: Hashed passwords could potentially be cracked, especially if users had chosen weak passwords
  • Credential stuffing attacks: Email and password combinations could be used to attempt access to other accounts where users reused passwords
  • Phishing campaigns: Email addresses could be used for targeted phishing, particularly effective since attackers knew victims used health and fitness apps
  • Privacy concerns: While the app didn't expose detailed health data, usernames and profiles could reveal fitness and diet information

The breach highlighted the risks of password reuse across multiple services. Users who used the same password for MyFitnessPal and other accounts (banking, email, social media) faced elevated risk of account compromise on those other services.

Organisational Response

Under Armour took immediate action upon discovering the breach:

  • Notified affected users via email and in-app notifications
  • Required all users to change their passwords
  • Invalidated all existing user sessions, forcing re-authentication
  • Enhanced monitoring and security systems
  • Engaged cybersecurity firms to investigate the breach
  • Worked with law enforcement authorities
  • Implemented additional security measures to prevent future incidents

The company recommended that users:

  • Change their MyFitnessPal password immediately
  • Change passwords on any other accounts where they used the same password
  • Enable two-factor authentication where available
  • Be alert to phishing emails claiming to be from MyFitnessPal

Scale and Significance

The MyFitnessPal breach was significant for several reasons:

  • Massive scale: 150 million users globally, making it one of the largest breaches of 2018
  • Australian impact: 4 million affected Australians represented approximately 16% of the population
  • Health app sector: Highlighted vulnerability of health and wellness platforms
  • Password security: Demonstrated ongoing challenges with password-based authentication
  • Notification speed: Four-day gap between discovery and disclosure became a point of discussion

The breach occurred during a period of heightened awareness about data security following major incidents like the Equifax breach, and contributed to growing consumer concern about app security and data protection.

Long-term Implications

The incident had lasting effects on the health and fitness app sector:

  • Increased scrutiny of security practices at health and wellness platforms
  • Greater user awareness about password security and reuse
  • Growing adoption of password managers and two-factor authentication
  • Enhanced regulatory focus on data security for health-related apps under privacy legislation

The breach remains one of the largest affecting Australian consumers and is frequently cited in discussions about the security of health and fitness tracking applications.

Verification Source: View original statement