
Notice of Data Breach - uoflcards22
https://content.myfitnesspal.com/security-information/notice.html
======
komali2
Somebody is about to come across 250 pictures of me in my boxers standing in
front of a dirty mirror with my belly popping out. I only hope they don't
judge me for the size of my belly not really changing over those 250 days...

~~~
borne0
Hi, even if a data breach hadn't happened, did you have any concerns about
people within the company having access to those photos? I also use
myfitnesspal and strava but I have a strong aversion to sharing that kind of
info with anyone, period.

I'm 36, is this a generational thing?

~~~
wingkongex
Did you used to care that some dude at CVS would have possession of your
photographs for hours at a time when you went to get them developed?

~~~
bigiain
So it seems that yes - this is a generational thing :-)

(I'd be curious to run a straw-poll to find out how many Hackernews ever
actually got "photographs developed"...)

~~~
swozey
I'm 34 and I've never had photos developed. When I was old enough (14-15?) to
care about taking pictures of things I had one of those Sony Mavica floppy
disk cameras that could hold something like, I dunno, 30-50 pictures.

But, on the flip side, every time I goto Walgreens there's people getting
photos developed.

------
tragic
> The affected data did not include government-issued identifiers, such as
> Social Security numbers and driver’s license numbers, information that the
> _app does not collect from users_

Well, I suppose it wouldn't, would it? Is this supposed to be impressive?

How many more of these before serious legislation gets through?

~~~
ISL
The article is likely to be repeating what was in a press release or statement
from the company. It's there to bound above the impact of the breach.

~~~
Someone
This _is_ the statement from the company.

~~~
ISL
I'm reasonably certain that the link was changed from an article about the
breach to the company's post.

I'm not completely certain, but that was my impression at the time I wrote the
post.

------
Someone1234
That's unfortunate.

At least we didn't get the stereotypical "your passwords are hashed, so
nothing to worry about" one liner I've been reading from a lot of companies
during disclosures. All they said here is that the passwords are hashed and
with a reasonably secure method -- bcrypt (although without knowing work-
factor and percentage of passwords, it is hard to know just how strongly).

It has become pretty difficult to operate online these days without password
managers. Password reuse has become a massive problem that worsens with each
breach at a popular service. With a password manager you can just rotate the
randomly generated password since you likely didn't know your old one anyway.

Off Topic: I'm surprised nobody makes a hardware "pepper"[0] that supports
popular algorithms. Meaning you hash the password as you normally would (inc.
salt) and then send it through the pepper-ing device for another round before
storing it. That way even if someone stole the database, knew the salt, and
the hashing algorithm+work-factor, they'd still lack the hardware pepper
making their job significantly harder.

[0]
[https://en.wikipedia.org/wiki/Pepper_(cryptography)](https://en.wikipedia.org/wiki/Pepper_\(cryptography\))

~~~
tzs
> All they said here is that the passwords are hashed and with a reasonably
> secure method -- bcrypt (although without knowing work-factor and percentage
> of passwords, it is hard to know just how strongly)

Speaking of proper password hashing--are there any methods similar to bcrypt
but where you can increase the work factor on the currently stored passwords
without having to have access to the plain password?

E.g., suppose you have a database of hashed passwords with work factor 4. You
want to up the work factor to 6. The usual way to do this that I've seen is to
start using 6 for new passwords, and when people with existing passwords log
in you verify the password with the 4 hash, and then before discarding the
plain password you 6 hash it and update the database with that.

But that leaves 4 hash password still working for however long it takes people
to get around to logging in. If you are raising the work factor it is
presumably because you think the old work factor is no longer secure enough,
so you probably don't want the old 4 hashes to keep working.

You could remove the 4 hashes of anyone who doesn't login and get updated
within a reasonable time, making them go through the "forgot my password"
routine, but that will annoy them. Hence, my curiosity about ways to updated
the work factor more directly.

There's a kludge way to kind of do it. Go through the database, take all the 4
hashes, and treat those hashes as if they were the passwords, and 6 hash those
and store them, along with a flag that marks this as a transitional password.
When a user with such a password logs in, you 4 hash their plain password, 6
hash the result, and if it matches, you then 6 hash the plain text password
and store the hash, and remove the transitional flag. But this is really quite
ugly.

~~~
heavenlyblue
I think at least Django stores passwords with an additional field that defines
the algorithm used to generate the hash of the password. One could think of a
case where instead of algorithm selection you could properly define a
simplistic DSL that actually defines how the hash is generated:

    
    
      algo | hash
      bcrypt(hardness=2,input=INPUT + 23423526) | 938240
      bcrypt(hardness=3,input=INPUT + 342352643) | 239223
    

Now the only thing that one needs to do is convert this table to:

    
    
      algo | hash
      bcrypt(hardness=3,bcrypt(hardness=2,input=INPUT + 23423526)) | 23423423
      bcrypt(hardness=3,bcrypt(hardness=3,input=INPUT + 342352643)) | 90192902
    

Where

    
    
      bcrypt(hardness=3,938240) = 23423423
      bcrypt(hardness=3,239223) = 90192902

------
propman
Should be a fine every time this happens and a major fine if it was found due
to negligence or not having the appropriate security measures aka yahoo. Yahoo
leadership new they were understaffed, cut staffing anyways, got rid of any
executive who disagreed, and got no penalty for their mistakes.

Make it more costly to get fined than it is to get hacked. Or some white
collar jail time if it wss negligence or covering it up.

~~~
jacquesm
The GDPR will cover that. And those fines are _massive_. It's not going to be
a magic bullet against breaches but the effect will definitely be that
companies will start to see security no longer as optional or an afterthought
but a direct liability if not taken care of properly.

------
JimDabell
The MyFitnessPal database has been compromised for _years_. I register with a
unique email address for every website and app that I use so that I can tell
when somebody's database gets compromised or they sell my data. I started
getting an influx of spam to my MyFitnessPal email years ago. I told them
about it at the time but they didn't care.

~~~
corpMaverick
How do you do this ?

~~~
JimDabell
The way most people do this is with plus addressing. If your mail provider
supports it (e.g. Gmail does), you can send email to
someuser+somewebsite@example.com and it will be delivered to
someuser@example.com. There are a minority of websites and apps that reject
emails like that, but they are quite rare and the vast majority don't have any
issue with it.

If you have your own domain name, you can set up a catch-all address, so if
you own example.com, then you can register on websites and in apps with
somewebsite@example.com instead. This works everywhere.

You can then look at what email address an email was addressed to to see how
the sender got hold of your email address, and you can filter and block future
emails based on that address as well. So if, for instance, you've registered
with MyFitnessPal with myfitnesspal@example.com, then you can cut off
everybody who's got hold of your email address via the MyFitnessPal breach
with 100% effectiveness using one spam rule.

------
masslessness
Imagine this happening in any other industry.

"Oh hi users, the things you gave to us and we were supposed to keep safe,
well, someone came and took them."

Say the bank sent all their customers a similar message, how would their
customers be expected to react? Why is it any different in the tech industry?

Basically these apology messages amount to: "Someone accessed your private
stuff, please change the special key you use to access your stuff. End."

Should there be more to this than just that? Yes you'll make sure the locks
are stronger, but what about that thing I've now lost? What are you going to
do about that?

~~~
__david__
> Imagine this happening in any other industry.

You mean like when Home Depot lost thousands of credit card numbers? Or when
Target did the same? Or when Equifax lost millions of people's private data?

The response is always "Welp, sorry! We'll do better next time!" and the tech
industry isn't alone here.

------
BadassFractal
I wonder if the daily progress photos were leaked as well. I imagine most
people won't be thrilled to have their not-too-flattering progress selfies be
out in public for the whole world to see.

Side note: MyFitnessPal the app is awful, but many of us still use it because
it has the most extensive database of food products out there. Outside of that
it has no merit and has felt abandoned in forever. Can someone recommend an
actually superior alternative?

~~~
matthewmacleod
What’s wrong with it, out of interest? It seems to work perfectly reliably for
me, and I’m super happy that they aren’t getting all change-happy with it.

~~~
bcongdon
The iOS app has been pretty good (if a bit buggy and slow), but the desktop
web interface is so bad to the point that I haven't used it in over a year --
and I use myfitnesspal daily.

~~~
BadassFractal
I've definitely had the app perma-crash on me recently, where the only way to
get out of the boot-then-crash loop was to delete and reinstall it.

It also fails at the iOS quick access menu about 80% of the time. e.g. you
hard-press the app icon, go to "log food" and it goes back to the home page.
Or you do the same for "scan barcode" and again most of the time it opens the
app and sends you to the home page again. This has been the case for months.

------
jnsaff2
No info either way about whether peoples very personal fitness data was
breached, eating habits, weight, other measurements. Appaling PR speak.

~~~
AznHisoka
I hope the log of my sex activity resulting in losing 20 lbs wasn't breached!

~~~
jnsaff2
The other comment was flagged but the point I was trying to make is that these
two data points of lots of sex and radical weight loss can be interpreted as
being promiscuous and getting HIV. Or obviously as a success and success.

Which is just why breach of this data is dangerous.

------
bhouston
MyFitnessPal was horribly written app when I used it. The idea was good but
God was it slow as hell when doing simple things.

~~~
lev99
I started using the app in 2012. I still use it.

I'm under the impression it's the best nutrition tracking app.

I've moved on to iHealth for tracking weight and exercise amounts, which I
used MyFitnessPal in the past. This information is still in MyFitnessPal, and
I will sometimes look at the graphs there, but not often. Apple Watch and a
Bluetooth scale are great for the quantified self.

~~~
OldSchoolJohnny
MFP is extremely limited when it comes to tracking micronutrients. If all you
care about are very basic facts it's alright.

If you care about much more then Cronometer is commonly considered the best.

~~~
artichikin
thanks! cronometer founder here :-) my indie hackers interview for anyone that
cares:
[https://www.indiehackers.com/interview/03874047f2](https://www.indiehackers.com/interview/03874047f2)

~~~
papa_bear
Awesome, I didn't realize you did an interview! I have a ton of respect for
the high standards you've been maintaining with data quality, keep it up.

------
matt_wulfeck
> _The affected information included usernames, email addresses, and hashed
> passwords - the majority with the hashing function called bcrypt used to
> secure passwords._

I really appreciate them including this information. It shows they’re
following best practices and I don’t need to read the rest of the article with
a grain of salt.

~~~
aaronharnly
Except when you get to the part about “the rest of the passwords were hashed
with SHA1”...

------
iamben
No notification via email or app for me as of yet... Seems like the sort of
thing I should hear from them first, rather than the Baltimore Sun.

~~~
geerlingguy
I got an email an hour ago, but I signed up fairly recently. Maybe emails are
in batch, reverse order.

~~~
fastball
I got an email at 9:54 EST (half an hour ago), and I've been a user for years
now. So it's not exactly the most prompt email I've ever received.

------
internobody
Perhaps this will also prompt them to start using HTTPS as well?

~~~
Thriptic
It's funny you would mention that because I also got annoyed by this and
submitted a feature request for https. This is the response I received:

Hello,

Thanks for writing into us regarding https on MyFitnessPal.

We have technical and organizational measures in place to protect your
information. Specifically, we have a secure login process designed to protect
your information as you access MyFitnessPal (i.e., login and profile data are
submitted using HTTPS POST actions).

The login pages of the MyFitnessPal that are encrypted via https include:

[http://www.myfitnesspal.com](http://www.myfitnesspal.com)
[http://www.myfitnesspal.com/login](http://www.myfitnesspal.com/login)
[http://www.myfitnesspal.com/logout](http://www.myfitnesspal.com/logout)

Although our home page at
[http://www.myfitnesspal.com](http://www.myfitnesspal.com) may not indicate
the presence of https in your browser's interface, the actual login "lightbox"
or pop-over window on the home page does send your login credentials via
https.

After login, the MyFitnessPal website does not always load in HTTPS only mode
(i.e. padlock not fully closed or green). This is because we sometimes load
public content like images, public text from Under Armour, images & text from
our advertising partners, and other non-user data using HTTP. While we load
that public content using HTTP, we load user content using HTTPS.

We also continue to evaluate the security of our platforms, and have a
dedicated team of cybersecurity professionals focused on this area. We will
continue to review our security protocols to protect personal data.

Please let us know if you have additional questions or concerns.

~~~
nathanaldensr
It's hard to believe that not only are they _this_ clueless, but they also are
trying to justify their idiotic decisions. Jesus, how hard can it be to set up
TLS? Let's Encrypt, anyone?

------
antonkm
This is how transparent an organization should be when breached. Kudos to
Under Armour.

~~~
samthecoy
GDPR, the new EU Data Protection legislation, will actually require companies
to issue notification of a breach of PII, within 7 days of becoming aware of
it, I believe.

~~~
M2Ys4U
That only applies to notification to the data protection authority unless the
breach "is likely to result in a high risk to the rights and freedoms of
natural persons".

------
lanius
Any free MyFitnessPal alternatives with an open API for retrieving
diet/exercise activity?

~~~
Distant_horizon
Check out Lifesum [https://lifesum.com/](https://lifesum.com/)

------
PuffinBlue
Signed up to MFP yesterday to test it out. Immediately noticed they don't use
https (though the login forms appear to be submitted over https).

I thought to myself - on the face of it they don't seem to hot on security, I
wonder how long it will be before they get hacked or something?

Well, I wasn't expecting less than 24 hours.

------
greggarious
This breach notification is very mealy mouthed.

>The affected information included usernames, email addresses, and hashed
passwords

It _included_ usernames, emails, and hashed passwords? So what else was
breached? This seems like they are implying nothing serious was stolen without
giving specific info.

~~~
borplk
I'm 99% certain it included everything.

From what I have seen very very few companies have strictly separated
databases for different types of data and so on.

For the vast majority of companies a compromise is an all or nothing event.

------
mvpu
"On March 25, 2018, we became aware that during February of this year an
unauthorized party acquired data associated with MyFitnessPal user accounts"
=> highly likely they stole more than what MFP thinks they stole.. we don't
know what we don't know. Sigh.

------
loeg
Ah, I had an account here. Checked Lastpass, and, great! They've got my six
character don't-care-about-MyFitnessPal-security password. bcrypt will not
save its secrecy in any way, but it hardly matters.

------
daniel_iversen
Props for them doing the right thing and hopefully nothing bad comes out of it
- looks like they’ve built a useful product. One thing that’s odd to me on
many levels though is that it was their Chief Digital Officer signing the
announcement and not their head of security. Don’t they have one? Wasn’t this
severe enough? I know it’s just perception but still!

------
Dzidas
I wonder, can I get a dump of the data collected on me based on the European
Law? Similar, that Facebook provides to everyone.

~~~
icebraining
Presumably yes. The site of the guy who sued FB has a template you might be
able to reuse[1], although it mentions the Irish implementation of the Data
Protection directive, whereas Under Armour Europe B.V. is Dutch, so you should
probably change that.

[1] [http://europe-v-
facebook.org/EN/Get_your_Data_/get_your_data...](http://europe-v-
facebook.org/EN/Get_your_Data_/get_your_data_.html)

------
llccbb
Does anyone have a good offline FOSS for macro-nutrient lookup and tracking?
Been thinking about starting one for myself.

~~~
Someone1234
The biggest limitation seems to be getting the nutrient information itself.
MyFitnessPal has a huge database of off the shelf food products built in (and
restaurants) from all over the world. Much of that information provided to the
company for free by its users.

MyFitnessPal has a similar advantage to Google, they have the most and richest
data, and anyone else entering that market starts at a huge disadvantage. You
could definitely make a FOSS app of the core tracking concept, it is just
going to be super painful to use compared to MyFitnessPal.

~~~
rojobuffalo
You're absolutely right about datasets being a constraint for any new entrant.
The USDA SR28 is free and open but limited scope. OpenFoodFacts has a great
dataset overall but ~~you can't download it (other than rate-limited
scraping),~~ the license is ~~strict~~ share-alike; and there isn't an OFF
personal consumption tracker.

~~~
sl956
No need to scrape Open Food Facts, they kindly offer a download of the whole
database as csv, rdf or mongodb dump:
[https://world.openfoodfacts.org/data](https://world.openfoodfacts.org/data)

It is 100% crowd sourced open data under the ODbL licence (same as
OpenStreetMap).

~~~
rojobuffalo
Thanks for that correction. I recall there being a clear reason why I couldn't
use their data in my app. But maybe I had it wrong. I remember reading that if
my app collected new data about foods and I was using the OFF db, I had to
commit to making all my data free and open. I was worried about the possible
case that personal food consumption data would be vulnerable to that share-
alike constraint.

~~~
teolemon
No, no worries about personal consumption. What the OdBL requires you to do is
to add missing products. Not add data outside the scope of the original
database. (I'm a Open Food Facts admin)

Also please don't scrape us, since we release nightly dumps of the DB :)

~~~
rojobuffalo
Thanks for clarifying that. And that's great that those DB downloads are
available. I didn't like the idea of scraping the data in the first place so
never went that route.

~~~
teolemon
Feel free to ping me at pierre openfoodfacts.org We have a online discussion
chat, if you want to integrate OFF at some point, and have questions about the
OdBL

------
aviv
People are so numb to these data breaches, companies will soon report such
breaches just for the free press they get.

------
konceptz
The next thing people will check may be insider trading:
[https://www.nasdaq.com/symbol/ua/insider-
trades](https://www.nasdaq.com/symbol/ua/insider-trades)

Can anyone more versed in this do a quick look for abnormal behavior?

------
urlgrey
The breach notice indicates that hashed passwords were compromised but doesn't
mention whether a salt was used when computing the hashes.

Use of a salt makes all the difference, guarding against the use of rainbow
tables to look up precomputed hashes of common passwords.

~~~
mfonda
> The affected information included usernames, email addresses, and hashed
> passwords - the majority with the hashing function called bcrypt used to
> secure passwords.

If they're using bcrypt, then they're using salts since salts are built in to
bcrypt.

------
dvcrn
Tried to change my password just now but can't. Clicking on 'change password'
logs me out again, anyone else?

------
djflutt3rshy
Announcing it after markets close and right before a long weekend (markets are
closed on Good Friday). Classy.

------
tomcooks
I assume it's a bigger problem for females, because of the different way
society perceives female or male sexuality.

E.g. I don't think i would really care about pics of my dick being made
public, but plenty of women get routinely harrassed (often to the point of
sexual assault or suicide) because of sexy selfies some idiot shared with
friends.

------
oculusthrift
hm anyone know if they are salted as well?

------
colemannugent
Mods, there's a better article on Reuters:
[https://www.reuters.com/article/us-under-armour-
databreach/u...](https://www.reuters.com/article/us-under-armour-
databreach/under-armour-discloses-breach-of-150-million-myfitnesspal-user-
accounts-idUSKBN1H532W)

~~~
gaius
Better in what way? This is notable because it is the official word of the
company, so we can discuss how forthcoming they are.

------
corobo
Official release [https://content.myfitnesspal.com/security-
information/notice...](https://content.myfitnesspal.com/security-
information/notice.html)

~~~
sctb
Thanks, we've updated the link from
[http://www.baltimoresun.com/business/under-armour-blog/bs-
bz...](http://www.baltimoresun.com/business/under-armour-blog/bs-bz-under-
armour-myfitnesspal-breach-20180329-story.html).

------
getsugablitz2
I use my Facebook as the login mechanism for MyFitnessPal, I wonder if that
means my Facebook password has been stolen as well.

Better change it, sigh...

~~~
JshWright
MyFitnessPal never had your Facebook password, so there's no way for it to be
stolen by a breach.

~~~
electrichead
They would have had a long lived token though

------
arcbyte
Should we actually care? I really didn't care even when my OPM info got
hacked. Just make this shit public and stop believing in secrets.

~~~
scottmf
Zuck?

------
graystevens
Would be interesting to know how they identified the breach. It is exactly
these situations that I produced Breach Insider[0], in the hope to try and
reduce the time to detection down from months to days.

Those of you affected by this breach, have you noticed any unusual spam/emails
recently, that may be related to MFP? I’m wondering if they got the tip-off
from their users.

[0] [https://breachinsider.com](https://breachinsider.com)

------
mfp001
I received an email notification of the MyFitnessPal breach. I don't use that
package or any other related products or service. Should I be concerned.

