A My Fitness Pal data breach has impacted 150 millions users (and I’m one of them)
Read more about whether you should be worried and what to do if you’re impacted.
My account’s been hacked …
I woke up to an email this morning from my favourite food tracking app – and it wasn’t good news. MyFitnessPal (MFP to it’s fans) had suffered a data breach, and my personal details had been hacked. MyFitnessPal says it was my username, email address and hashed, or in other words encrypted, password. They have more information about me than just that though, like my sex, my age, my height and my postcode. Oh and of course my weight. It appears those details are safe.
But I’m not that worried about it ...
So should I be worried? Well, it’s never reassuring when data gets hacked but here’s why I’m not that worried:
1. My password is encrypted. So the first thing someone will have to do is try to unencrypt it. That’s possible. But not easy, especially with the hash algorithm that was used for the ‘majority’ of the accounts.
2. Secondly, and most importantly, my password was a securely generated randomised string of characters which is unique to my MFP account. And it’s now a completely different securely generated randomised string of characters which is unique to my MFP account!
All the passwords for every website I use are unique …
One of the most dangerous things you can do online is reuse the same password for all your sites. Now one view is that you can use one password across all the sites you don’t care about that much (Like MFP for instance). But my view is that a persistent identity thief could access all those sites. And if they can build up enough information about you from 10, or 20 or 50 of them, the damage has been done. So personally, I always use unique passwords.
And it’s easier to do this than you might think …
How do I manage with unique, difficult to remember passwords? I use a password manager. This way I only have to remember how to access the password manager. I use a tool which auto populates websites in my browser for me, that I can access on my phone, and best of all it’s completely free! It’s also one of the leading providers. They have one job to do – make sure they keep passwords secure.
You still need to remember one access code though …
Even if you use a password manager, you still need to make sure that tool is secure. So don’t use ‘password’ (yes, that’s a thing …) or your date of birth, or your mother’s maiden name. Instead current guidance is not to use a password at all, but rather a passphrase – ie a phrase or short sentence that you will remember. It’s highly secure, and very difficult to guess!
Finally … should I trust My Fitness Pal?
Actually their detection and handling of this, admittedly huge, breach has been exemplary:
- They discovered it within 4 days (this is quick!)
- Other account data, including credit card details were safe
- They acted promptly to notify users, and were actively answering questions on Facebook and other social media channels
Although this was a large scale breach, the impact was confined, and the post incident communication has been excellent.
Read more from the press on this …
Some of the press coverage of the incident can be found here:
http://www.bbc.co.uk/news/technology-43592470
https://thehustle.co/myfitnesspal-hacked/
https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/
