MyFitnessPal Data Breach

When I woke up this morning and checked the news, I read that MyFitnessPal was hacked and that they lost 150 Million passwords! It’s not yahoo, but that’s a lot.

My wife and I are both MyFitnessPal users so when I told her, her first reaction was “Great!  Now hackers can see what I ate for lunch yesterday.”  That’s probably a pretty normal reaction.  I think what my wife and most people fail to realize is that the problem isn’t the hack of MyFitnessPal per se, but rather it’s the fact that the password she uses on MyFitnessPal could be copied and used to access much more important websites like WellsFargo bank or an investment account at Schwab.

According to a study by Keeper Security,   87% of users under the age of 31 reuse their passwords!

1. The first and best thing we suggest is to turn on something called Two Factor Authentication everywhere you can.  We use the google authenticator application every day but text messaging is just as good.   You see this with banks all the time, you put in your password then they text you a 6 or 8 digit number and you enter that and you can access your account.  Do this wherever you can.
2. The other thing to do is to get a Password Manager and use random long passwords whenever you can.  Here’s a recent review of some free ones.  We use KeePass and LastPass in some situations.  At Proper Sky, we’re using a third party tool rather than consumer password managers.
3. And last but not least, always keep your email and banking passwords different from any casual shopping site.  Your amazon password should NOT be your Citizens Bank password and your banking password should NEVER be your Gmail password.  Email is a gateway to password recovery so it needs to be locked up extra, extra tight.

So some good news, is that MyFitnessPal used an encryption type known as ‘bcrypt” which is actually a very good password algorithm.   It takes your password, adds a really long complicated string called a salt, then it changes a value on a regular basis which makes the salt change AND then if you keep trying to remember your password, it makes you wait longer and longer each try you try to find it.  While all of these things are great in theory, they’re not foolproof.  The infamous Ashley Madison hack used the same algorithm except their source code was leaked and they were able to reverse engineer the salt plus the programmers didn’t write the best code.

This will be a problem for a long time until they really figure out biometrics but for now, use different, long passwords, turn on 2FA and segment your passwords!