MyFitnessPal experienced a significant data breach putting the account information of 150 million users at risk. Although not as sexy as some targets, MyFitnessPal is one of the world's largest health databases, which raises questions about the value of our biodata.
First Published 30th March 2018
Witness the fitness.
3 min read | Reflare Research Team
According to the press release, an unidentified unauthorized party accessed datasets belonging to MyFitnessPal users in late February 2018. The data potentially breached includes email addresses, usernames and hashed passwords. Notably, health and payment data were stored separately and at the time of writing nothing indicates that they were compromised as well.
What is the impact?
While a breach impacting 150 million users is bound to draw at least some media and regulator backlash, we expect the overall impact of this attack to be limited. According to Under Armor, the passwords in question were hashed using bcrypt - one of the strongest hashing algorithms currently in use. Bcrypt is very resistant to both Brute Force and Rainbow Table attacks meaning that very few if any of the leaked passwords are likely to be cracked. The large number of leaked email addresses will doubtlessly lead to a regulatory inquiry, but is unlikely to earn Under Armor more than a modest fine due to the lack of leaked health data.
Health Data
The situation would be very different if health data were included in the breach. For one, end users' reactions are often proportional to the perceived privacy level of the compromised data. Many see their personal health information as more sensitive than just a few pieces of data. Attackers know this, and have abused such health information for blackmail and identity theft attacks in the past. While price data fluctuates widely, health-related data sets commonly outprice credit card-related datasets on the black market for this reason.
For another, Under Armor is a US company and the US government’s HIPAA legislation establishes additional stringent requirements for the handling of health data and breaches involving it.
Summary
While a large number of datasets were potentially breached, we expect the fallout from this hack to be minor due to the strong hashing function used on the passwords and the lack of leaked health data.
Had the passwords been protected by weaker methods or had health data leaked, the incident would likely carry a significantly higher cost for Under Armor both in terms of regulatory consequences and image damage.
Even when breaches do happen, the overall security level of a company plays a significant role in how they will play out.