The fitness gear maker Under Armour said on Thursday that a breach of its MyFitnessPal website in February resulted in the theft of data on 150 million customers.
Under Armour said it learned of the incident on March 25. The breach affected individuals with MyFitnessPal user accounts. Personal information including the individuals’ user names, email addresses and hashed (or encrypted) passwords were taken.
“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” Under Armour said in a statement.
MyFitnessPal is a health and fitness focused website that allows users to set fitness goals and track activity. The web site can upload data from a wide range of fitness tracking devices including those by Garmin, Fitbit and Jawbone.
In an email notice sent to users, Under Armour said it was forcing MyFitnessPal users to change their passwords and would be monitoring their systems to “detect and prevent unauthorized access to user information.” Victims are encouraged to review other accounts for suspicious activity and to watch out for unsolicited communications asking for personal data or linking to web sites that ask for such data.
This is just the latest security and privacy breach linked to fitness websites. In January, researchers showed how supposedly anonymous data from the fitness app Strava could be used to re-identify US military installations around the world.
Further analysis showed that a Strava API could be used to create bogus workouts and combined with a so-called “fly by” data could to re-identify specific soldiers from those bases.