Security Experts Weigh In On Massive Data Breach Of 150 Million MyFitnessPal Accounts

Tony Bradley
The Aftermath of a Data Breach

--

Another day, another data breach. Actually, all data breaches aren’t created equally. I should say, another massive data breach. Under Armour shared that on March 25 it discovered unauthorized access that exposed or compromised 150 million MyFitnessPal accounts.

MyFitnessPal is a popular fitness tracking app that has been around for a long time. It was founded in 2005 and enables users to monitor calorie intake and exercise. Under Armour acquired MyFitnessPal about three years ago for $475 million.

Under Armour deserves some credit for how quickly it notified users and made the details of the incident public once the issue was discovered. It is not uncommon for companies to delay the inevitable by weeks or months. The General Data Protection Regulation (GDPR) went into effect in May, which should solve that problem for the most part — but that’s another story. Kudos to Under Armour for its response so far.

How Did this Happen?

A post on the MyFitnessPal site shares the details known so far and offers some guidance for affected users. It explains that Under Armour is notifying all MyFitnessPal users to provide information about how to protect their data, requiring all users to change their passwords, working with law enforcement to investigate and continuing to monitor for suspicious activity, and exploring enhancements to help detect and prevent similar unauthorized access in the future.

“The details about how Under Armour was breached are not available yet, but it would not be surprising to find that the company is joining Yahoo, Uber, Equifax, and others who have been exploited via identity and access,” shared Tom Kemp, CEO of Centrify. “The traditional cybersecurity approach of ‘trust, but verify’ simply does not work anymore in today’s mobile-first, cloud-enabled world where employees can be anywhere and working on multiple devices.”

There aren’t any details yet, but there’s a good chance Kemp is right. Whether an attack is executed by a trusted employee or an external cybercriminal, it is most often done using valid, authorized user credentials. It isn’t enough to just try and guard the gate and keep unauthorized users out — there has to be a way to monitor what’s going on inside the network as well, and whether or not there is anomalous or suspicious activity to be concerned about.

Kemp explained, “The new mandate is ‘never trust, always verify.’ To protect against breaches that exploit weak or stolen credentials, companies need to adopt a Zero Trust Security model, which assumes that untrusted actors already exist both inside and outside the network. Then they must enforce that approach with next-gen access to verify every user, validate their devices, limit access and privilege, and learn and adapt to user behavior.”

“Unfortunately, we will continue to see large-scale breaches of the applications and services we rely on until security and privacy become board-level priorities,” cautioned Malcolm Harkins, Chief Security and Trust Officer for Cylance. “We need to think beyond the existing traditional view of security as yet another cost center and embrace next-generation security products that enable predictive prevention of attacks before they cause damage.”

Protecting Passwords

The good news for those affected is that the only data that was exposed or potentially compromised was usernames, email addresses, and encrypted passwords. More sensitive — and potentially more harmful — data like Social Security numbers or driver’s license numbers are not collected by MyFitnessPal, and the bank and credit card details are collected and processed separately.

Under Armour states that most of the passwords were encrypted with bcrypt — which is a relatively strong password hashing mechanism. However, some of the passwords were protected using a significantly weaker 160-bit hashing function, SHA-1.

“It’s remarkable the number of companies still storing credentials using insecure hashing algorithms, without salt, etc.,” declared Daniel Miessler, a Director of Advisory Services with IOActive. “Because this is opaque to the customer, users of these types of applications really need to assume this is the case, and that the site will be eventually compromised. We can limit the damage from these types of breaches simply by ensuring that when a hash for a site is compromised, it’s either too long/complex to guess or is only used for that one site.”…

You can view / read the complete article on Forbes: Security Expert Weigh In On Massive Data Breach Of 150 Million MyFitnessPal Accounts.

--

--