Future Tense

The MyFitnessPal Hack May Affect 150 Million People. It Could’ve Been Even Worse.

Someone stealing data from app.
Photo illustration by Slate. Photos by Thinkstock.

One of the long-held fears about our wearable data-tracking habits is that the vast collection of information would be accessed by hackers. Beginning around 2013, the quantified self movement gained momentum. With Apple Watches on our wrists and apps like RunKeeper on our phones, we’re tracking what time we go to bed, what food we eat, what medicine we take, even what routes we run from our front door. Online thieves have already targeted Fitbit owners in an attempt to defraud the wearable maker, and health care companies have been the target of numerous hacks in the past few years. Now popular nutrition- and fitness-tracking app MyFitnessPal has become the latest service—and one of the first in the health- and activity-monitoring space—to reveal its data has been accessed in a hack.

Under Armour revealed Thursday that about 150 million MyFitnessPal app users may have been affected by a data breach that took place in February. Under Armour said it learned of the breach last Sunday, after realizing an unauthorized party had accessed MyFitnessPal data. It said information, including usernames, email addresses, and hashed passwords, may have been accessed; payment information was not involved. MyFitnessPal said it is notifying affected users about the breach, requiring them to change their passwords and recommending they change passwords on any other accounts that might share similar information. At this point, it looks like MyFitnessPal avoided a worst-case scenario—the app contains a wealth of dietary, fitness, and exercise stats, but Under Armour has not suggested that information was compromised.

While it’s not as big of a target as the health care industry—stolen health credentials can go for 10 or 20 times the value of a stolen credit card on the black market, for example—apps like MyFitnessPal still store a large amount of detailed, personal information that can be used to profile and track an individual. In a 2016 interview with Digital Trends, Andrew Hilts, executive director at Canadian data security–advocacy group Open Effect, said that with such incredibly detailed records at their disposal, hackers could “suddenly have a very valuable source of intelligence about individuals’ whereabouts.” MyFitnessPal can collect your precise location data as well as performance data, according to its privacy policy—and that’s in addition to all the other information you voluntarily give the app.

When activity-tracking app Strava accidentally revealed the locations of secret military bases through its data-populated heat maps, it sent ripples through the fitness-monitoring space. “[A]nyone with a Fitbit can inadvertently become a pawn in an uncharted world of collective data,” Vox wrote. Users rethought their activities on such apps—or at least their privacy settings on them. The Strava incident highlighted the dangers that willfully public data can pose to personal and national security and had users second-guessing if it was such a good idea. The entire fitness-app industry relies on people handing over their personal metrics. If they can’t trust that data to be safe, secure, and used properly, the industry could crumble.

We don’t yet know how the data was breached. With 150 million users affected, it’s one of the largest breaches on record. It’s worth noting that, as an RSA survey pointed out, passwords are one of the pieces of information U.S. consumers are most protective of. Under Armour and MyFitnessPal seem to have some good data practices in place: Payment information was kept separate from general user information, which was stored separately from user-uploaded app data. Under Armour also appears to have reacted swiftly once it learned of the breach and notified users and the public a few days later—a stark comparison to other companies, such as Uber, which hid its 2016 data breach by paying off the hackers. Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when. And it’s an important reminder that all of your most personal data is vulnerable to being hacked, no matter how trivial it seems. Our smartphones, wearables, and apps are gathering millions of data points about our lives on a daily basis. Things like your calorie intake and step count may not seem valuable to a hacker. But paired with other information gathered by a fitness tracker, such as where you worked out or how long you were away from home, those insignificant data points can paint a valuable picture of who you are.