What happened
According to public breach records, the MyFitnessPal data breach on February 1, 2018 is reported to have exposed the personal information of 143,606,147 accounts.
In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.
Passwords in this breach were reportedly stored as SHA-1 hashes.
Under Armour disclosed that an unauthorized party acquired data tied to about 143.6 million MyFitnessPal accounts; the company became aware on March 25, 2018 that the data had been taken in late February 2018, and began notifying users roughly four days later. The exposed data included usernames, email addresses, IP addresses, and passwords stored as hashes — bcrypt for the majority of (newer) accounts and the weaker SHA-1 for older accounts — while government-issued IDs such as Social Security and driver's license numbers, and payment card data, were processed separately and were not affected. The dataset later surfaced for sale on a dark-web marketplace in 2019 alongside other large breaches, after which it circulated more widely.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- IP addresses
- Passwords
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | MyFitnessPal |
| Date | February 1, 2018 |
| Accounts affected | 143,606,147 |
| Domain | myfitnesspal.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by MyFitnessPal; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your MyFitnessPal password immediately, and change it anywhere you reused the same password — older accounts in this breach used the weaker SHA-1 hash, which is more feasible to crack.
- Enable two-factor authentication on MyFitnessPal and on any account that shared the breached password.
- Treat the exposed email address as a phishing target: be wary of messages referencing MyFitnessPal, fitness goals, or password resets, and verify sender addresses before clicking.
- Use a password manager to generate unique passwords so a single cracked hash can't unlock your other accounts.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: MyFitnessPal Data Breach
- Under Armour says data breach affected about 150 million MyFitnessPal accounts (CNBC)
- Under Armour, Inc. Form 8-K Exhibit 99.1 (SEC, March 29, 2018)
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →