Better change your password before logging that next meal

Under Armour announced a data breach over the weekend that exposed the usernames, passwords and emails of approximately 150 million users of its exercise and nutrition app MyFitnessPal.

The breach is said to have occurred in late February, with the American sportswear company being made aware of the issue on 25 March, notifying its customers four days later through email and in-app messaging.

No government-issued identifiers or credit card information was exposed as this data is collected separately, the company said in a statement on Thursday.

MyFitnessPal is a popular service which allows users to log diet and exercise information, tracking these habits in order to improve their health.

Under Armour, which acquired MyFitnessPal in 2015 for $475 million, saw its shares drop 3.8% following the disclosure with some believing that the company should have notified its consumers sooner.

One management consultant told The Baltimore Sun, a city that has just experienced a cyber-attack on its emergency services, that “four days is an eternity to alert customers to protect themselves”.

While no financial data was revealed in the breach, security experts are concerned that attackers could use or sell MyFitnessPal passwords to gain access to this sort of sensitive information.

Under Armour has said that it is working with data security firms and law enforcement to determine the cause of the issue and that the investigation is ongoing.

The majority of the information affected, however, used the bcrypt hashing function, which is meant to secure passwords and protect accounts from any brute force attack.

According to Troy Hunt, who runs the data breach information site Have I Been Pwned?, some of the MyFitnessPal account data was protected with an older hashing function, SHA-1.

Speaking in his weekly video blog, Hunt said: “This echoes what happened with Dropbox. It had about half their hashes as SHA-1 and half their hashes as bcrypt.

“What a lot of companies do is they have a legacy hashing algorithm approach and time goes by and they say ‘SHA-1 isn’t any good anymore and we should use bcrypt.’”

Under Armour has urged MyFitnessPal users to change their passwords and to monitor their accounts for any suspicious activity.

Other fitness apps owned by the company, such as MapMyRun, are not believed to have been compromised in the breach, Engadget reports.