Under Armour MyFitnessPal Data Breach

Published: 11/14/2025

The Under Armour MyFitnessPal data breach exposed sensitive information of millions of users, marking one of the largest breaches in 2018. Affecting the popular fitness app, this incident highlighted critical vulnerabilities in data security and user privacy protections. With 150 million accounts compromised, this breach underscores the importance of robust cybersecurity measures for digital platforms handling personal information.

Under Armour MyFitnessPal data breach explained: what happened?

The MyFitnessPal data breach occurred in February 2018 and was officially disclosed by Under Armour in late March 2018. Attackers infiltrated the platform, stealing usernames, email addresses, and hashed passwords. Fortunately, no financial or government-issued IDs were compromised. While this breach wasn't linked to a larger campaign, it served as a wake-up call for both consumers and businesses regarding cybersecurity lapses.

When did the Under Armour MyFitnessPal data breach happen?

The breach was discovered in late February 2018, but it was publicly disclosed on March 29, 2018. This prompt announcement allowed affected users to take swift action to secure their accounts.

Who hacked Under Armour MyFitnessPal?

The identities and motivations behind the Under Armour MyFitnessPal breach remain unknown. No specific threat actors have claimed responsibility for this attack.

How did the Under Armour MyFitnessPal breach happen?

The attack involved the unauthorized access of MyFitnessPal's user database, exploiting vulnerabilities to exfiltrate data. The breach targeted non-encrypted PII (email addresses and usernames) and breached hashed passwords, some of which used weaker hashing algorithms.

MyFitnessPal Data Breach Timeline

February 2018: Breach occurred and data was accessed.
March 29, 2018: Under Armour publicly disclosed the breach.
Post-Disclosure: Users were notified and prompted to reset passwords.

Technical Details

Attackers leveraged a vulnerability within MyFitnessPal’s user database, allowing them to access the hashed passwords. While bcrypt protected some credentials, many were hashed with SHA-1, a weaker algorithm susceptible to attacks.

Indicators of Compromise (IoCs)

Specific IoCs were not disclosed; however, users were warned to monitor for unauthorized access to linked accounts and phishing attempts.

Forensic and Incident Investigation

Under Armour initiated an internal investigation and engaged data security experts for forensic analysis. Recovery efforts included system audits, improved encryption mechanisms, and enhanced security protocols.

What data was compromised in the Under Armour MyFitnessPal breach?

Usernames, email addresses, and hashed passwords were stolen. No financial information, Social Security numbers, or payment details were compromised in the breach. While bcrypt was used for some password hashing, others relied on SHA-1, which is less secure.

How many users were affected by the Under Armour MyFitnessPal data breach?

Approximately 150 million user accounts were impacted, making this breach one of the largest to date for a fitness-related platform.

Was my data exposed in the Under Armour MyFitnessPal breach?

Users who registered for MyFitnessPal prior to February 2018 may have been impacted. Under Armour recommended that affected users change their MyFitnessPal passwords and any similar credentials on other platforms for enhanced security.

Key impacts of the Under Armour MyFitnessPal breach

The breach had significant repercussions, including damage to Under Armour's reputation and a decrease in customer trust. While no financial losses for users were reported, the incident highlighted the risks of poor password protection and inadequate encryption.

Response to the Under Armour MyFitnessPal data breach

Under Armour immediately disclosed the breach and notified users to reset their passwords. The company also worked with data security experts to identify vulnerabilities and strengthen its defenses against future breaches.

Lessons from the Under Armour MyFitnessPal Data Breach

Use robust encryption for sensitive data.
Regularly patch and update software to mitigate vulnerabilities.
Encourage strong, unique passwords and consider implementing multi-factor authentication (MFA).

Is Under Armour safe after the breach?

Under Armour has since implemented stronger encryption, improved its incident response processes, and enhanced cybersecurity measures. However, the breach serves as a reminder that no system is entirely immune from cyber threats.

Mitigation & prevention strategies

Enable MFA for all accounts.
Use strong, non-reusable passwords created with a password manager.
Regularly monitor accounts for suspicious activities or unauthorized access.
Educate employees and users on phishing and other common attack vectors.

Related data breach incidents

FAQs

The breach occurred due to vulnerabilities in MyFitnessPal's user database, allowing unauthorized access to usernames, email addresses, and hashed passwords.

Usernames, email addresses, and hashed passwords were exposed. No financial data or Social Security numbers were compromised.

The identities of the hackers remain unknown. Investigations have not linked the breach to any known threat groups.

Employ strong encryption methods, mandate MFA, continuously update security systems, and train employees to recognize cybersecurity threats.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.

Try Huntress for Free