Under Armour Inc., joining a growing list of corporate victims of hacker attacks, said about 150 million user accounts tied to its MyFitnessPal nutrition-tracking app were breached earlier this year.
An unauthorized party stole data from the accounts in late February, Under Armour said on Thursday. It became aware of the breach earlier this week and took steps to alert users about the incident, the company said.
Shares of Under Armour fell as much as 4.6 percent to $15.59 in late trading following the announcement. The stock had been up 13 percent this year through Thursday’s close.
The data didn’t include payment-card information or government-issued identifiers, including Social Security numbers and driver’s license numbers. Still, user names, email addresses and password data were taken. And the sheer scope of the attack — affecting a user base that’s bigger than the population of Japan — would make it one of the larger breaches on record.
“Email addresses are valuable for spammers because the attackers would know that active, real users are behind these addresses,” said Engin Kirda, a professor at Northeastern University in Boston. “The dark web is usually where data like this is sold to the highest bidder.”
Under Armour’s announcement comes a day after Boeing Co. said it was hit by a cyberattack. In that case, malicious software affected “a small number of systems,” the airplane manufacturer said on Wednesday.
Read More: When Bad Cybersecurity News Is Better Than You Think
The MyFitnessPal mobile app lets people track their calorie intake, diet and exercise routines. Under Armour agreed to buy the software in 2015, part of a bid to become the world’s biggest tracker of fitness information. The idea was to expand upon the company’s roots in athletic apparel and accessories.
Now the Baltimore-based company is grappling with the downside of owning a data-centric business. Under Armour has enlisted security firms to help with its investigation and is working with law enforcement to resolve the matter.
The company has been sending emails and in-app messages to users to alert them to the attack. It’s urging customers to change their passwords immediately.