In the wake of a breach that compromised personal information of 150 million MyFitnessPal accounts, some in the security industry are giving Under Armour a thumbs up for both the way it has handled the incident and security measures it had in place.
"Praising a company after a breach is difficult, but we should give UnderArmour credit for keeping payment information separate from profile information,” said James Lerud, head of Verodin's Behavioral Research Team. “They appear to be handling this incident in a responsible way by notifying the public and requiring password resets.”
Companies often fail to detect a breach, “the first most important step,” said Terry Ray, CTO of Imperva. "Under Armour not only discovered the intrusion but “at least used bcrypt for the passwords which is considerably more compute intensive than sha-1,” said Ray. “Unfortunately, using only sha-1 for usernames and email addresses is a problem. For one, there are billions of already decrypted sha-1 hashes freely available on the web and cracking a new one doesn't take too much effort. This is why Under Armour took the appropriate steps to instruct users to change their passwords both on their site as well as any other site that uses those same usernames or email addresses.”
Noting that “it is unclear at this point if the compromised password hashes are salted,” Lerud said that's “a best practice that makes it more difficult for hackers to discover underlying passwords.”
Forrester Security Expert Jeff Pollard said that while the breach affected a large number of accounts, "Under Armour is showing it learned some lessons from companies breached in recent months by notifying its customers rapidly after discovering the intrusion.”
The company has yet to clarify whether “other personal details – such as eating habits, photos, GPS location, and other fitness-related information – was included in the breach, and if included, whether that data was also encrypted or masked in some fashion,” which is of concern to users “and rightfully so,” said Pollard. “Fitness trackers and apps like MyFitnessPal are fantastic tools that help people, but users must also be aware of the fact that these devices and apps act as 'opt-in surveillance.' Anyone with access to what the app collects also has access to your location, habits, and preferences – and in this case, that is now an attacker."
But regardless of Under Armour's handling of the breach and its security practices, the “attackers were clearly able to compromise the network, perform necessary reconnaissance to locate targeted data, and then steal it without getting caught,” said Anthony James, chief marketing officer at CipherCloud. In this sort of attack, the attackers were most likely able to dwell in the network for some period of time, to accomplish their goals.”
Although his own fitness motivation hadn't compelled him to use a MyFitnessPal, James said, for the 150 million users who did, the breach “is an invasion of privacy and compromise of their personal data.”
And it's a privacy violation that might have gotten Under Armour in hot water if the General Data Protection Regulation (GDPR) was in effect today. “Under Armour claims that no government-issued identifiers were exposed in this breach,” said Gabriel Gumbs, vice president of product strategy for STEALTHbits Technologies. “If this breach occurred 57 days from today, when GDPR enforcement begins, the EU's Information Commissioner's Office would draw no distinction as to whether the identifying data was government-issued or not.”
The commissioner likely would have given Under Armour a closer look. “Because of the way GDPR defines identifiable information, there is possibly other information in this breach that would also run afoul of GDPR without having to be government-issued,” said Gumbs. “For example, if the MyFitnessPal mobile app collected a phones IMEI number that too would be identifiable data.”
He warned that “companies really should be in full sprint to ensure they are prepared for GDPR.”
Because breaches at the likes of Boeing and the City of Atlanta “have become common enough to barely make the news,” Ray said “most consumers are becoming a bit desensitized …And if one breach makes news, there are ten that don't.”