Under Armour notified MyFitnessPal users that an unauthorized third party accessed usernames, email addresses and hashed passwords in about 150 million accounts in late February,
The hashed passwords affected were in large part ones “with the hashtag function called bcrypt used to secure passwords,” the company said in an alert.
“The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers), which the company does not collect from users,” the statement noted. Likewise, payment card data wasn't affected since the company collects and processes that separately.
“The re-use of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts,” said Lisa Baergen, marketing director of NuData Security, a MasterCard company.
She said “anyone who thinks they may have reused their MyFitnessPal password on other sites needs to change each account password and track all account activity carefully.”