Cyber Incident Victim: Under Armour
Date:
Feb 2018
Location:
United States of America
Summary
Under Armour experienced a data security incident impacting its MyFitnessPal application, involving unauthorized access to user account information. The compromised data did not include government-issued identifiers such as Social Security numbers. The company detected the breach and initiated notifications to affected users via email and in-app messaging within four days, urging immediate password changes and providing security guidance while directing users to an online FAQ for additional details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Under Armour publicly disclosed a data security incident affecting its MyFitnessPal application on March 29, 2018. The company stated the breach occurred in February 2018 but provided no specific attack vector or intrusion method. Compromised information included usernames, email addresses, and hashed passwords, with Under Armour emphasizing that government-issued identifiers, Social Security numbers, driver's license numbers, payment card data, and precise location tracking information remained unaffected. The discovery timeline indicates Under Armour first detected the incident on March 25, 2018, though the notification did not specify how detection occurred or whether external parties alerted the company. No threat actor attribution was provided in the disclosure, and the company did not confirm whether data exfiltration was involved or if the breach resulted from unauthorized access to stored credentials. The scale of impacted accounts was not quantified in the initial announcement, leaving the full scope undefined through available public statements.
The company initiated user notifications four days after discovery through email communications and in-app messaging, coinciding with the March 29 public disclosure. These notifications contained security recommendations for MyFitnessPal account holders, though the specific guidance beyond password changes was not detailed in the press release. Under Armour mandated password resets for all MyFitnessPal users as a containment measure while urging immediate voluntary password changes. A dedicated FAQ page was established to provide supplementary information about the breach, though its contents were not reproduced in the official statement. The disclosure included forward-looking statements acknowledging the preliminary nature of findings, noting the investigation remained ongoing with potential for new developments to alter understanding of the incident. These statements explicitly cautioned against reliance on initial assessments while refraining from detailing specific forensic methodologies, third-party involvement in the investigation, or long-term remediation strategies beyond immediate credential resets.