Under Armour Breach Exposed 150M MyFitnessPal Accounts

Under Armour has revealed that it’s suffered one of the biggest hacks in history after data from 150 million users of its MyFitnessPal diet and fitness app was compromised in February.

According to Reuters, Under Armour shares were down 3 percent in after-hours trade.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018,” the company wrote in a statement. “The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.”

The stolen data includes account usernames, email addresses and scrambled passwords for the MyFitnessPal mobile app and website. Social Security numbers, drivers’ license numbers and payment card data were not compromised.

The company said that the investigation is ongoing, but so far approximately 150 million user accounts were affected by the breach, which is the largest of the year and one of the top five in history. Under Armour stated it doesn’t know the identity of the unauthorized party.

MyFitnessPal users are being encouraged to change their passwords immediately, as well as to review their accounts for suspicious activity.

Under Armour bought MyFitnessPal in 2015 for $475 million. The app and website is part of the connected fitness division, which accounted for 1.8 percent of Under Armour’s $5 billion in total sales last year.

While the breach did not include financial data, there is still much to be gained by stealing large quantities of email addresses. In fact, email addresses retrieved in a 2014 attack that stole data from around 83 million JPMorgan Chase customers was later used in pump-and-dump schemes aimed at boosting stock prices.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” Under Armour informed its customers. “We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.”