Under Armour: Even a Maker of Cheap Apparel Can Be a Hacker’s Target

Print Email

When Equifax data was hacked, it was understandable the public panicked. The cyberattack involved 145.5 million people. Since Equifax holds credit data on customers, the danger to these people was substantial.  Under Armour Inc. (NYSE: UAA), which makes relatively inexpensive clothing, was hacked yesterday. About 150 million MyFitnessPal accounts were affected. And, it appears that no data that might be useful in stealing essential customer data was taken. Compared to other large cyberattacks, it is not very consequential.

However, it does show, once again, that hacking huge systems is not hard for skilled cybercriminals.

Under Armour announced:

… that it is notifying users of MyFitnessPal – the company’s food and nutrition application and website – about a data security issue. On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.

Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities. The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.

Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.

While the email addresses are potentially useful to a hacker, the “government-issued identifiers” and “payment card data” would be a gold mine.

The break-in generated a great deal of press coverage because of its size. The seriousness of the event is another issue.