Under Armour’s MyFitnessPal program is picking up the pieces after a recent data breach affected 150 million users.
In late February, an “unauthorized party” reportedly hacked into the health-tracking service, stealing account usernames, email addresses, and hashed passwords.
Fortunately, the exposed codes were scrambled using the bcrypt hashing algorithm, so they’ll be tough for the thieves to crack. Still, users are urged to change their MyFitnessPal credentials (and any other accounts using the same password) immediately.
It does not appear any payment card data or government-issued identifiers (Social Security and driver’s license numbers) were filched.
“Once we became aware, we quickly took steps to determine the nature and scope of the issue,” MyFitnessPal Chief Digital Officer Paul Fipps wrote in an announcement.
“We are working with leading data security firms to assist in our investigation,” he assured. “We have also notified and are coordinating with law enforcement authorities.”
The memo was released to the MyFitnessPal community on Thursday—four days after parent company Under Armour learned of the breach—via email and in-app messaging.
“We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information,” Fipps said.
Other recommendations include reviewing accounts for suspicious activity and remaining vigilant about any unsolicited communication asking for personal data. And, as ever, don’t click on links or download attachments from suspicious emails.
MyFitnessPal also published additional security information and guidelines online, going as far as to suggest placing a “security freeze” on credit files to prevent fraudulent charges.
There is no word yet on who carried out the attack.
MyFitnessPal is a free smartphone app that tracks diet and exercise and uses gamification to motivate users and help them reach their health goal. Founded in 2005, the service was acquired by Under Armour in February 2015 for a reported $475 million.