UnderArmour’s data wasn’t under enough armour, it turns out. The company has announced that the personal data of 150 million users of its fitness portal MyFitnessPal was compromised in a breach in february this year.
As shares in the company fell 3.8%, UnderArmour representatives hurried to clarify the situation:
(Source)
What did they get?
The breach did not involve payment card information, and it didn’t involve government-issued ID like drivers’ licences. So if you’re affected your finances aren’t directly threatened and there’s probably no-one out there taking out $1m loan in your name… yet.
What was lost was contact email addresses, hashed (encrypted) passwords, and onsite user names.
While these don’t pose much of a direct threat they can all be used to identify users in connection with other tools or methods.
What can they do with it?
For instance, hashed passwords can be accessed using a ‘rainbow table’ – a collection of the hashes used for the most common passwords. Since the most commonly used passwords are still very weak ones like PASSWORD and 123456. it‘s trivial to identify them by their hashes.
And user information on sites like MyFitnessPal can be mined for social and family connections, as well as for personal information that could be used for blackmail, extortion or simply to make identity theft more credible.
UnderArmour has said that user information on the site – conversations, fitness logs – wasn’t affected. But if a user’s login details have been accessed, hackers could easily log in and steal the use history of 150 million people. We’ve seen what machine learning plus huge data troves can do, not just in the Cambridge Analytica case but in the digital marketing space more generally, where everything from programmatic advertising to personalized marketing emails depend on it. And we’ve seen how the same technology used to try to sell you those sneakers you looked at, but didn’t buy, can be used to commit crimes.
What’s the worst that could happen?
And they don’t have to be long-distance, aggregate-data types of crimes. In a 2016 interview with Digital Trends, Andrew Hilts, executive director of the Canadian data security advocacy organization Open Effect, warned that with the details on offer from tracking apps of all kinds, hackers could ‘suddenly have a very valuable source of intelligence about individuals’ whereabouts.’ MyFitnessPal’s privacy policy allows for collecting precise location data as well as performance data from its users.
Chillingly, you might not even need to be hacked. Most of the fitness apps that collect information – including location tracking – about their users aren’t too clear about the precise lines they’re willing to let that data cross. As a result, says Hilts, ‘We are unclear about how fitness data is being used by a variety of fitness tracking companies.’ But we do have some pointers to go on. ‘Jawbone, for instance, in its policy, claims that your data might be transferred to third parties for the purposes of a “business deal,”’ Hilts observes.
So that’s fine then.
“{SomeApp} wants to: know your location.” Nope nope nope
The bottom line is that you should never give apps permission to track you, and always use a tool that that disguises your physical location when you’re online. The data you create might pose no threat now, today, but the profile it builds up about you will be stored indefinitely by one or more organizations that will sell it, hand it over to law enforcement, or worse. And even when they do nothing worse than build it and sit on it, they’ve just proved – again – that they can’t be trusted with it.
If you think now might be a good time to spring a few bucks a month for a VPN that protects you from the worst of all this, check out our reviews and recommendations.
And if you’re a MyFitnessPal user, change your PASSWORD01. Seriously.