Hacked MyFitnessPal Data Goes on Sale on the Dark Web—One Year After the Breach

February 14, 2019, 10:57 PM UTC

The MyFitnessPal app disclosed a data breach last year affecting as many as 150 million users. Now, some of those stolen credentials are popping up for sale on the dark web.

Not only is data from Under Armour’s MyFitnessPal, a diet and exercise community, being offered, but hackers also have their hands on credentials from 15 other websites. The asking price: Less than $20,000 in Bitcoin, according to a report from The Register.

Erin Wendell, a spokesperson for MyFitnessPal, said users were required to change their passwords after the breach was reported last March, so any stolen credentials are no longer valid on the site.

“We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed their passwords since that March 29, 2018 announcement, to reset their passwords. As a result, passwords previously used for MyFitnessPal at the time of the data security issue are no longer valid on MyFitnessPal, and we continue to encourage strong password practices including unique and complex passwords for all their accounts to enable users to further protect themselves,” she said.

While it doesn’t sound like hackers will be able to check on what MyFitnessPal users ate for breakfast, the leaked credentials could be a problem for people who reuse passwords across multiple websites. The passwords appear to be hashed and encrypted, however a buyer could cross-reference breached email addresses with previous hacks to see if someone reused a password.

Another website included in the Valentine’s Day fire sale, the dating app Coffee Meets Bagel, sent users an email on Thursday to notify them that they learned of a breach on February 11, the same day The Register‘s report was published. A partial list of names and email addresses are believed to be the only information compromised. The email did not say how many users may have been exposed.

The other websites mentioned in The Register’s report are: Dubsmash, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, Artsy, and DataCamp.

One way to quickly check to see if your credentials have been breached is to enter your email address at HaveIBeenPwned.com. While the site doesn’t say where your data was leaked, it can tell you how many data dumps include your email address. Whether you’ve been “pwned” or not, security experts also recommend that you regularly change your passwords and use one unique password per site.