Sports apparel company Under Armour announced Thursday that a massive data breach had affected roughly 150 million users of its popular MyFitnessPal app. Hackers acquired user names, email addresses, and passwords in late February, according to Huffington Post. Payment information such as credit card numbers were unaffected, since Under Armour processes this information separately, and the app does not collect data such as social security numbers or driver’s license numbers.
However, it likely represents the largest data breach so far this year, and could be among the five largest ever, based on the number of records affected. Other companies have recently faced a series of large-scale data breaches, including travel booking site Orbitz, which said nearly 900,000 credit card records were affected by a breach earlier this month. A second Equifax breach last year involved data from 2.4 million people, on top of the massive breach just six months earlier that saw 143 million people’s financial information breached. In 2013, three billion Yahoo user accounts were affected by a data breach.
Under Armour says it became aware of the breach on March 25th, and notified users four days later. The company has not identified the hackers and will require that users of the app change their passwords as soon as possible, and recommended that users review accounts for suspicious activity. The company’s Chief Digital Officer Paul Fipps wrote, in a notice to the app’s users:
“We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.”
The company’s shares fell by 3 percent in after-hours trading that day. It said it was working to improve its data security and to protect user information.
Under Armour bought the fitness app in 2015 for $475 million.
Wired Magazine praised Under Armour for having disclosed the breach so quickly, and for using password encryption that could make accessing the data very difficult for hackers. However, it also notes that not all of the passwords were protected this way, with the rest remaining quite vulnerable, protected by a weaker protection system with well-known flaws. Johns Hopkins University cryptographer Matthew Green says this oversight may be a result of depending too heavily on in-house IT staff, instead of utilizing specialists.
“It means you get some amateur hour stuff,” according to Green.