A recently discovered cyberattack on Under Armour has raised fears about a wave of MyFitnessPal phishing attacks. On March 25, 2018, Under Armour discovered an unauthorized individual had gained access to the data of 150 million users of MyFitnessPal – including users with website accounts and those who use the MyFitnessPal app.
The Under Armour data breach is the largest to be discovered this year in terms of the number of individuals affected, although in contrast to many other breaches discovered in Q1, the data obtained by the attackers was limited. Further, the stolen information was not plain text. It had been hashed so could not be immediately accessed.
Usernames, email addresses, and passwords were stolen with the latter encrypted using bcrypt – a powerful hashing algorithm that is particularly difficult to decrypt. Usernames and email addresses were protected using a SHA-1 algorithm. SHA-1 hashed data is more straightforward to decrypt, and it is likely this information which the attackers will concentrate on trying to decrypt.
Under Armour discovered the breach in late March, although it occurred in late February. That means the attackers have had the hashed data for around six weeks and could have already decrypted a considerable percentage of the stolen email addresses and usernames.
Within four days of the discovery of the Under Armour data breach, notifications started to be sent to affected users who have been advised to login and change their passwords. While it is unlikely that the bcrypt-protected passwords have been cracked, this precaution should be taken by all MyFitnessPal users.
Unfortunately, there is little users can do to stop MyFitnessPal phishing attacks. Once the SHA-1 hash has been cracked, the attackers will have a list of 150 million email addresses to use. Breach victims can expect an increase in spam email and phishing attacks.
Users of the app are therefore advised to exercise caution and to be wary of phishing attacks. While it is probable that MyFitnessPal phishing campaigns will be launched related to the data breach, many campaigns are likely to be conducted using the data.
To avoid becoming a victim, use a spam filtering solution, never open any email attachments sent from unknown individuals, do not click on hyperlinks sent from people you do not know, and think carefully before taking any action suggested in an email. If you receive any request via email related to the security of your MyFitnessPal account or app, consider that the message may be a scam.