Somebody is about to come across 250 pictures of me in my boxers standing in front of a dirty mirror with my belly popping out. I only hope they don't judge me for the size of my belly not really changing over those 250 days...
> The affected data did not include government-issued identifiers, such as Social Security numbers and driver’s license numbers, information that the <i>app does not collect from users</i><p>Well, I suppose it wouldn't, would it? Is this supposed to be impressive?<p>How many more of these before serious legislation gets through?
That's unfortunate.<p>At least we didn't get the stereotypical "your passwords are hashed, so nothing to worry about" one liner I've been reading from a lot of companies during disclosures. All they said here is that the passwords are hashed and with a reasonably secure method -- bcrypt (although without knowing work-factor and percentage of passwords, it is hard to know just how strongly).<p>It has become pretty difficult to operate online these days without password managers. Password reuse has become a massive problem that worsens with each breach at a popular service. With a password manager you can just rotate the randomly generated password since you likely didn't know your old one anyway.<p>Off Topic: I'm surprised nobody makes a hardware "pepper"[0] that supports popular algorithms. Meaning you hash the password as you normally would (inc. salt) and then send it through the pepper-ing device for another round before storing it. That way even if someone stole the database, knew the salt, and the hashing algorithm+work-factor, they'd still lack the hardware pepper making their job significantly harder.<p>[0] <a href="https://en.wikipedia.org/wiki/Pepper_(cryptography)" rel="nofollow">https://en.wikipedia.org/wiki/Pepper_(cryptography)</a>
Should be a fine every time this happens and a major fine if it was found due to negligence or not having the appropriate security measures aka yahoo. Yahoo leadership new they were understaffed, cut staffing anyways, got rid of any executive who disagreed, and got no penalty for their mistakes.<p>Make it more costly to get fined than it is to get hacked. Or some white collar jail time if it wss negligence or covering it up.
The MyFitnessPal database has been compromised for <i>years</i>. I register with a unique email address for every website and app that I use so that I can tell when somebody's database gets compromised or they sell my data. I started getting an influx of spam to my MyFitnessPal email years ago. I told them about it at the time but they didn't care.
Imagine this happening in any other industry.<p>"Oh hi users, the things you gave to us and we were supposed to keep safe, well, someone came and took them."<p>Say the bank sent all their customers a similar message, how would their customers be expected to react? Why is it any different in the tech industry?<p>Basically these apology messages amount to: "Someone accessed your private stuff, please change the special key you use to access your stuff. End."<p>Should there be more to this than just that? Yes you'll make sure the locks are stronger, but what about that thing I've now lost? What are you going to do about that?
I wonder if the daily progress photos were leaked as well. I imagine most people won't be thrilled to have their not-too-flattering progress selfies be out in public for the whole world to see.<p>Side note: MyFitnessPal the app is awful, but many of us still use it because it has the most extensive database of food products out there. Outside of that it has no merit and has felt abandoned in forever. Can someone recommend an actually superior alternative?
> <i>The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.</i><p>I really appreciate them including this information. It shows they’re following best practices and I don’t need to read the rest of the article with a grain of salt.
Signed up to MFP yesterday to test it out. Immediately noticed they don't use https (though the login forms appear to be submitted over https).<p>I thought to myself - on the face of it they don't seem to hot on security, I wonder how long it will be before they get hacked or something?<p>Well, I wasn't expecting less than 24 hours.
This breach notification is very mealy mouthed.<p>>The affected information included usernames, email addresses, and hashed passwords<p>It <i>included</i> usernames, emails, and hashed passwords? So what else was breached? This seems like they are implying nothing serious was stolen without giving specific info.
"On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts" => highly likely they stole more than what MFP thinks they stole.. we don't know what we don't know. Sigh.
Ah, I had an account here. Checked Lastpass, and, great!
They've got my six character don't-care-about-MyFitnessPal-security password. bcrypt will not save its secrecy in any way, but it hardly matters.
Props for them doing the right thing and hopefully nothing bad comes out of it - looks like they’ve built a useful product. One thing that’s odd to me on many levels though is that it was their Chief Digital Officer signing the announcement and not their head of security. Don’t they have one? Wasn’t this severe enough? I know it’s just perception but still!
The next thing people will check may be insider trading: <a href="https://www.nasdaq.com/symbol/ua/insider-trades" rel="nofollow">https://www.nasdaq.com/symbol/ua/insider-trades</a><p>Can anyone more versed in this do a quick look for abnormal behavior?
The breach notice indicates that hashed passwords were compromised but doesn't mention whether a salt was used when computing the hashes.<p>Use of a salt makes all the difference, guarding against the use of rainbow tables to look up precomputed hashes of common passwords.
I assume it's a bigger problem for females, because of the different way society perceives female or male sexuality.<p>E.g. I don't think i would really care about pics of my dick being made public, but plenty of women get routinely harrassed (often to the point of sexual assault or suicide) because of sexy selfies some idiot shared with friends.
Mods, there's a better article on Reuters:
<a href="https://www.reuters.com/article/us-under-armour-databreach/under-armour-discloses-breach-of-150-million-myfitnesspal-user-accounts-idUSKBN1H532W" rel="nofollow">https://www.reuters.com/article/us-under-armour-databreach/u...</a>
Official release <a href="https://content.myfitnesspal.com/security-information/notice.html" rel="nofollow">https://content.myfitnesspal.com/security-information/notice...</a>
I use my Facebook as the login mechanism for MyFitnessPal, I wonder if that means my Facebook password has been stolen as well.<p>Better change it, sigh...
Would be interesting to know how they identified the breach. It is exactly these situations that I produced Breach Insider[0], in the hope to try and reduce the time to detection down from months to days.<p>Those of you affected by this breach, have you noticed any unusual spam/emails recently, that may be related to MFP? I’m wondering if they got the tip-off from their users.<p>[0] <a href="https://breachinsider.com" rel="nofollow">https://breachinsider.com</a>
I received an email notification of the MyFitnessPal breach. I don't use that package or any other related products or service. Should I be concerned.