Under Armour on Thursday said an “unauthorized party” had grabbed information including usernames, email addresses and hashed passwords, from about 150 million MyFitnessPal accounts.
The company said it began sending emails and in-app messages to the mobile app’s users on Thursday, four days after discovering the breach, which it said occurred in late February.
“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users,” Under Armour said in a statement. “Payment card data was also not affected because it is collected and processed separately.”
All MyFitnessPal users will have to change their passwords, the company said. Hashed passwords have been converted to a string of. But users with easy-to-guess passwords could still be vulnerable, as these are easier to crack when hashed. What’s more, mathematicians and hackers have broken hashes in the past.
MyFitnessPal is among the more popular apps used to track diet and exercise for fitness and weight goals.
Under Armour said it’s working with “leading data security firms” and “coordinating with law enforcement authorities.”
More information about the breach can be found here.
CNET’s Laura Hautala contributed to this report.
Crowd Control: A crowdsourced science fiction novel written by CNET readers.
Solving for XX: The tech industry seeks to overcome outdated ideas about “women in tech.”