- Total Records150,633,047
- Unique Emails143,154,774
- Unique Email Providers3,034,206
- Unique Usernames142,926,088
The 2018 MyFitnessPal Data Breach: What Happened and What Was Exposed?
In early 2018, MyFitnessPal, the popular health and fitness tracking app operated by Under Armour, experienced a massive data breach that affected millions of users worldwide. The incident came to light in late March 2018, revealing that attackers had gained unauthorized access to MyFitnessPal’s systems in February and managed to extract an enormous trove of data—over 150 million user accounts. The stolen information included email addresses, usernames, IP addresses, and passwords, which were protected using both SHA-1 and bcrypt hashing methods. News of the breach sparked widespread concern due to the sheer scale, and the stolen data was reported to have been made available on a dark web marketplace not long after.
When Did the MyFitnessPal Breach Happen?
The MyFitnessPal breach occurred in February 2018, with public disclosure made a month later in March. Under Armour notified its users promptly after discovering the intrusion, ensuring transparency about what was compromised and what users should expect next. The breach window itself was relatively brief, but its aftermath was felt for months as impacted individuals learned about the incident and how their data had been handled.
What Data Was Compromised?
Attackers were able to access a combination of personally identifiable information and account credentials. Specifically, the compromised data included:
- Email addresses
- Usernames
- IP addresses
- Passwords (stored as SHA-1 and bcrypt hashes)
No payment data or government-issued identification numbers were exposed. Still, with account logins and related data involved, the breach posed serious risks to user privacy and the potential for credential stuffing attacks elsewhere.
How Many Users Were Affected by the MyFitnessPal Breach?
The scope of the breach was substantial. Approximately 150,633,048 user accounts were affected, making it one of the largest personal data exposures ever recorded in the fitness and health sector. Users from many countries were included in the dataset, highlighting the global reach of MyFitnessPal at the time of the incident.
Timeline of the MyFitnessPal Breach
- February 2018: Malicious actors successfully gained access to MyFitnessPal’s user database.
- Late March 2018: Under Armour publicly announced the breach, contacting users and providing guidance.
- Shortly After Disclosure: The database appeared for sale on dark web marketplaces, confirming its theft and distribution.
Who Was Behind the MyFitnessPal Breach?
While the specific perpetrators have not been publicly identified, the attack’s method and the appearance of the data for sale suggest that experienced cybercriminals, possibly operating as part of a larger group, orchestrated the breach. No one individual or group has claimed official responsibility.
Frequently Asked Questions
What happened in the MyFitnessPal data breach?
In February 2018, MyFitnessPal suffered a breach in which attackers stole over 150 million user records, including usernames, email addresses, IP addresses, and hashed passwords. The breach was disclosed publicly in March 2018.
How many users were impacted in the MyFitnessPal breach?
Over 150 million user accounts, specifically 150,633,048, were affected by this incident, making it one of the largest breaches ever in the health tech industry.
What data was exposed in the MyFitnessPal breach?
Email addresses, usernames, IP addresses, and password hashes (using SHA-1 and bcrypt) were accessed and stolen by the attackers during the breach.
When did the MyFitnessPal breach occur?
The breach took place in February 2018, with public notification and user alerts issued by Under Armour in late March of that year.
How can I check if I'm in the MyFitnessPal breach?
You can check if your information was part of the MyFitnessPal breach by utilizing the DeHashed search engine.