Password Hashing An Issue For MyFitnessPal Breach
MobileNewsPrivacy and Security April 24, 2018 Arianna Gael
Hack exposed 150 million users’ accounts, but could have been much worse.
As data breaches go, a company and the victims are lucky if only a couple million accounts were stolen, or if the data was nothing more than passwords and some birth dates. Recent large-scale events have included the loss of tens of millions of complete identities, including permanent, sensitive information like Social Security numbers, the answers to security questions, and other crucial data.
In some ways, the MyFitnessPal hack that exposed 150 million users’ accounts is somewhat insignificant. The only things accessed were usernames, passwords, and email addresses, and if those victims have been practicing good password security, the worst that happens is they have to change their passwords. At worst, they reused their username and password combination on other more sensitive accounts, and will need to hop around the internet and tighten up their security.
No small matter
At the same time, this event is not a small matter. First, a hacker got in. Under Armour, who owns MyFitnessPal, does gather credit card information due to the premium account option of the app. That means a hacker could have made this event a much bigger deal by stealing those credit card numbers. If that had happened, Under Armour would be legally required to foot the bill for credit monitoring and replacement credit cards for all of the affected users.
Alarming
Even without the credit cards or sensitive PII, a report from Wired magazine shows why even just the password theft is still alarming. Of the 150 million or so stolen accounts, a lot of them used the strong bcrypt hashing to scramble the passwords; by the time the hackers are able to unscramble them and use them for other purposes, Under Armour will have had plenty of time to alert their users to change their passwords, or change those passwords themselves if they’re equipped.
Inconsistent
However, for some undisclosed reason, not all of the passwords were using bcrypt. A significant number were still protected with SHA-1 hashing, which is about as effective as covering the password with a piece of clear Scotch tape and hoping no one looked too closely.
Why would a company who’s deploying bcrypt not protect all of the passwords that way? The answer isn’t very clear, but Under Armour is also not the only company guilty of having access to a better system but not using it across the board. As more events like this one crop up, hopefully other companies will get on board.