On March 29th, popular fitness and nutrition tracking app MyFitnessPal, disclosed a data breach. According to the MyFitnessPal website, the breach occurred sometime in February 2018 but was only discovered on March 25th.
Under Armour, the company that owns MyFitnessPal, announced that as many as 150 million accounts were compromised. Stolen information includes usernames, email addresses and passwords hashed with bcrypt.
MyFitnessPal has alerted users via email and is requiring all users to change their passwords.
Have a MyFitnessPal account? Change your password.
2. Click the LastPass in-field icon to select your myfitnesspal.com account. (If you are not yet using LastPass, sign up now at www.lastpass.com and then complete the rest of the steps below.)
3. Click Log In.
4. At the top of the page, click Settings.
5. Select the “Change Password” option.
7. Click the LastPass generate icon to generate a new, random password, and click Fill.
8. Click Save Changes.
9. When LastPass prompts you, click “Ok” to save the new password for your myfitnesspal.com vault record.
10. Click Log Out when you’re done.
Change any duplicate or similar passwords
If you reused your MyFitnessPal password for other accounts, those could be at risk. You should always create unique passwords for every account. If you need help identifying reused passwords, take the security challenge linked in your LastPass vault. It will identify weak and reused passwords. Go to the sites and update your password using similar steps as above for any accounts with reused passwords.
This is also an essential step if you run a business or work in IT. Remind employees not to reuse passwords. If an employee uses their MyFitnessPal password on work accounts, those are now at risk.
Watch for phishing attacks
Since your email address may have been leaked, you need to be extra diligent not to fall victim to phishing emails. Do not click on any suspicious links claiming to be from MyFitnessPal, UnderArmour or any other companies or individuals you do not know or trust.
When you do navigate to a site through a link, be sure to check that the site is legitimate. Look at the URL and lock symbol before proceeding. LastPass can help with this. If your LastPass credentials do not populate in the site than you know it is not real. For example, if you go to your banking site your login information should automatically populate from LastPass. If it doesn’t, you should check the URL and other information on the site before moving forward with logging in.
Remember, you can always launch websites directly from your LastPass vault or browser extension. This will ensure you are getting to the correct site.
Turn on Multi-Factor Authentication
This is a great time to add an additional level of security for your important accounts, especially your email account. This simply means adding another login step when you’re signing into an account. It combines something you know (your password) with something you have (your phone) or something you are (your fingerprint). This is especially important for your email account because once someone has access to your email, they are able to reset other account passwords. One easy option is LastPass Authenticator, which sends a push notification to the app on your phone and logs you in.
Breaches like this are becoming a common occurrence, but we are here to help. Following these steps can help you stay safe against these growing threats.
Also, be sure to check out our new breach response webpage. This is your go-to-site for up-to-date information on breaches happening in the news.