Under Armour has notified users of its MyFitnessPal food and nutrition app of a large-scale user data breach that occurred in late February. The company’s investigation into the breach is ongoing, according to a statement, but so far indicates that the usernames, email addresses, and passwords of approximately 150 million users have been compromised.
“We understand that you value your privacy and we take the protection of your information seriously,” Under Armour wrote in a message sent to MyFitnessPal users yesterday. “Once we became aware, we quickly took steps to determine the nature and scope of the issue.”
Under Armour said in a statement that it first learned of the breach and began its investigation on March 25. The data breach does not appear to include government-issued identifiers such as Social Security numbers and driver’s license numbers, which the app does not collect, or any payment data, as these are handled separately.
In the emails and in-app messages sent to users yesterday, the company recommended users change their passwords for any other accounts or services that may be the same or similar to that used for the MyFitnessPal app, and to remain vigilant for any suspicious activity. All users will be required to change their passwords, and are encouraged to do so quickly.
“We are working with leading data security firms to assist in out investigation,” the company wrote to its users. “We have also notified and are coordinating with law enforcement authorities.”
MobiHealthNews has reached out to Under Armour for comment, and will update this story with their reply.
MyFitnessPal was launched on mobile in 2009 and purchased by Under Armour in 2015 for $475 million, one of several fitness app acquisitions made by the company at that time. In December, Under Armour announced that MyFitnessPal’s founders, Mike and Albert Lee, had departed from their positions as Chief Digital Officer and SVP of Digital Product, respectively.
Fitness app data has come under increased scrutiny as of late. In late January, an analyst with the Institute for United Conflict Analysts warned that heatmap data collected through the Strava fitness app betrayed the locations of US military bases and patrol routes, while others reported that the app’s API allowed anyone to de-anonymize user-shared data to reveal names, speeds, and heart rates. In response to public outcry, Strava CEO James Quarles said that his company was “committed to working with military and government officials to address potentially sensitive data.”