Did MyFitnessPal Just Have a MAC Attack?

On March 25^th, Under Armour was made aware that they had an unauthorized party gain access and acquire data associated with 150 million MyFitnessPal user accounts. The information they could’ve gathered includes, but is not limited to, usernames, email addresses, and hashed passwords. What are hashed passwords? Hashed passwords, from a high level, happen when passwords are ran through a mathematical function to create an encrypted version and a message authentication code (MAC) of a plaintext password. In MyFitnessPal’s case, they used a bcrypt hashing function, the same type that was used by formerly hacked Ashley Madison. After the Ashley Madison hack, the entire database and all password hashes were made available to the hackers of the world and now they have the password hashes of MyFitnessPal too.

What does this mean for those of you that have an account on MyFitnessPal? 

One of the first knee-jerk reactions may be to log into your account, change the password, and go on about your business. This, however, should be the last thing you do. It hasn’t been established whether the detected “Unauthorized Party” has been identified yet, therefore contained and controlled. If you change your password, it could mean that they now have your new password.

A better course of action would be to immediately change your passwords for ALL other accounts that share the same email address, username, and password combination. You could delete your MyFitnessPal account, or you could leave it there in a so called quarantined status, but know this, all the data from that account has been breached.

Despite this breach, or others like it where there’s nothing we could have done to avoid it, we should all have a healthy dose of paranoia when it comes to emails, URL links, and attachments. If you receive an email requesting data, or that provides you with a link to enter data, validate it by picking up the phone and talking to someone first. We have to have proper digital hygiene as we put more and more data about ourselves into our applications, on social media, and stored in cloud services. Also, don't use public USB charging docks or cables.

Here are some additional preventative things you can do:

1. Automate backups

There are several options out there and it’s worth every bit of effort to set up automatic nightly backups to the cloud-based service. That way, if your data is corrupted or happens to fall victim to the next ransomware or day zero attack, you’ll only be out of one day’s worth of data.

Yes, you read that right, insurance for the entire family, including those under the age of 18. You might wonder why you need to do this when your kids aren’t of age to worry about identity theft. Well, I think we all can agree that most kids have at least 10 online accounts from social media to the latest cool app. These apps are known for collecting personal data that could be used to open lines of credit, effectively ruining their credit history before they even apply for their first credit card.

3. Install all updates and patches to all devices, since most patches fix known security vulnerabilities

 
4. Use VPNs when, and if, possible

If you don’t want your data visible to potential unwanted viewers, then you need to encrypt your data through a VPN connection. If you’re using public or free WiFi, then assume that anyone that owns that WiFi, or someone spoofing that free WiFi and running a “Man in the Middle” attack, can see anything and everything you do.

This is never an easy discussion, but reality is not always an “easy button” discussion. There are known and unknown predators out there and it’s our responsibility to protect our family and loved ones from the threats they present. Criminals have always used technology to their advantage or to gain an advantage. With little effort and research, these predators can track the habits and pattern with surprising accuracy, all via social media posts, Instagram photos and, other various social platforms. To make it harder to track these posts, photos, and habits, turn GPS location off.

It’s always a good habit to NOT have your default account or user account assigned with Admin privileges. This can act as a prevention method, removing the rights, to help prevent, malicious software the ability to install itself onto your device.

In other words, you wouldn’t park your car in a bad neighborhood with the windows rolled down and a $100 bill on the front seat, so use the same mindset in the digital world.

For more information about how you can protect yourself online, check out some of our previous blog posts:

• How to Secure Your Privacy in the Internet of Me
• Dirty Wi-Fi: How to use free Wi-Fi safely while you’re traveling
• 8 Ways to Stay Safe During Black Friday & Cyber Monday

If you’d like to speak with a member of our Security Team to learn more about how you can protect your home or business from cybersecurity attacks, please contact us and a team member will get back to you.

About the Author
Derrick Whisel has worked in IT for over 20 years, with extensive experience in project engineering, management, scoping, budgeting and design. He began his career in the military, and after being honorably discharged as an IT2 Second Class Petty Officer, moved into the private sector where he now works as a Senior Technology Advisor, Security Solutions with Internetwork Engineering heading up their Security practice. Connect with Derrick on LinkedIn.