The personal details of around 150 million users of popular nutrition app MyFitnessPal have been hacked in the latest large scale breach, the third biggest in history in terms of the number of user accounts affected. US fitness brand Under Armour, which owns the MyFitnessPal software, has said that usernames, email addresses and passwords were potentially stolen.
The good news is that the majority of the affected passwords were apparently encrypted with the Bcrypt algorithm, which has a good reputation for security. In contrast to other recent high profile hacks, the company has also moved quickly to alert users to the issue, raising the alarm only four days after they became aware themselves of the breach.
However, the news is not all good, and reports suggest that the breach may actually have occurred in late February, but was only discovered on 25 March. This means that the hackers had access to personal data for a month before users were alerted and given the opportunity to safeguard their details.
This breach has taken place just ahead of the 25 May 2028 deadline for GDPR compliance, which is fortunate for Under Armour, because it would otherwise have fallen within the scope of the legislation because it involved the personal data of users based in the EU, even though the data was actually held in the US.
This would have opened the company up to potential fines from EU regulators, in addition to claims from users who had suffered financial loss as a result. The regulator would give the company credit for their prompt notification of users once they found out about the breach, but would not have looked kindly upon the time it took for them to discover it.
It is not clear at the moment exactly how the hack occurred, but a network monitoring solution would most likely have picked up the data breach at a much earlier stage and automatically shut down access to affected databases. This would have alerted system administrators to the issue and limited the scale of the damage to the company and its users.
With the GDPR implementation deadline only a couple of months away, now is the time for CTOs to take action to ensure company compliance before, not after, a data breach has occurred.
Sonny Sehgal
Head of Cyber Security
