I know I’ve tried many times to get fit and that journey usually starts with getting back into MyFitnessPal. The app helps you track your calorie intake and exercise to maintain a healthy balance of food and fitness. So popular is the app, in 2015 sports giant Under Armour bought it. They might be regretting that a little bit as they’ve just been hacked
What Happened With MyFitnessPal?
In short, the app has suffered a data breach. On the surface, that sounds awfully scary as some hackers now know I’m over weight. As do the dogs in the street though to be fair.
In the breach, hackers obtained emails, names and hashed passwords; hashed is an incredibly important word here.
What Are Hashed Passwords?
Some of the news coverage around the hack describe hashed passwords as making it harder to obtain a user’s actual password. To be completely honest, hashing can provide a level of security that makes uncovering a users password nigh on impossible.
Wired magazine provide my favourite comparison:
the difference between a Three Mile Island and a Hiroshima sometimes comes down to an arcane branch of cryptography: hashing
Hashing is a relatively simple method of encrypting information by running a computation. The best known use is hashing passwords. When you select your password for a website, it’s often hashed which means it’s run through a mathematical process and converted into a jumbled collection of numbers and letters.
When you try to log in to the same site again, the password your type is in run to this process again and checked to see it matches the jumbled numbers and letters created by the original hashing of your password.
Sure Isn’t Hashing Only Great So?
It’s really important to note that not all levels of hashing are created equal. You might remember a couple of years ago we showed you a website called “Have I Been Pwned” which lets you check if your data was compromised any of the all to regular data breaches that have taken place. One data set included in this was a LinkedIn hack from 2012 which used hashing known as SHA1.
The Problem With Hashing
SHA1 is actually realtively simple to reverse engineer. This meant when hackers got hold of this data, they could uncover the passwords and, combined with the email adresses also acquired, try accessing various other websites. This is why its recommended you don’t use the same password for all your logins.
The MyFitnessPal hack saw 150 million users’ data taken. Fortunately, the passwords taken were hashed. It’s not all good news though. While some of the passwords taken were encrypted using bcrypt, a really secure form of hashing, six years after the LinkedIn hack some of the data was remarkably only using SHA1.
What Should MyFitnessPal Users Do Now?
Stop for a moment and think: how often do you use your MyFitnessPal email address and password for other services.
You should certainly consider changing them across all services and possibly look to changing how you manage your own passwords. Password managers like Last Pass let you create unique passwords for every account you create. When creating a Last Pass accout, I’d strongly recommend using a pass phrase instead of a password. Pass phrases are sentences which you can easily remember and should contain capitals, numbers and symbols.
Finally, where possible, use 2 step verification. This security feature requires you to input a code either sent my SMS, phone call or through an authentication app after you attempt to log into your account. Google recently announced just 10% of Gmail users are using 2 step verification.
Be Responsible For Own Data
Data breaches arent going to stop. Simply put, no company will ever care for your data as much as you will and Facebook has made it abundantly clear many companies can’t be trusted. The MyFitnessPal hack may not have massive reprocussions thanks to password hashing while some users might receive unsolicited emails or be targetted through ads for having and interest in fitness.
But it’s a matter of when you’re involved in a data breach, not if, and when you’re involved, having taken the right steps to protect your own data could br crucial