MyFitnessPal Account Security Issue: Frequently Asked Questions

1. What happened?

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.

2. What did MyFitnessPal do when it discovered the issue?

Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.

We are taking steps to protect our community, including the following:

3. What information was affected by this issue?

The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.

The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers) because we don't collect that information from users. Payment card data was not affected because it is collected and processed separately.

4. What is a "hashed password"?

Hashing is a one-way mathematical function that converts an original string of data into a seemingly random string of characters.

5. What is "bcrypt"?

Bcrypt is a password hashing mechanism that incorporates security features, including multiple rounds of computation, to provide advanced protection against password cracking.

6. What hashing function was used to protect the MyFitnessPal account information that was not protected by bcrypt?

The MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function.

7. When did MyFitnessPal become aware of the issue?

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.

8. Do you know who did this?

We do not know the identity of the unauthorized party. Our investigation into this matter is ongoing.

9. Who is being notified?

We are notifying MyFitnessPal users to provide information on how they can protect their data.

10. What is the company doing to protect my MyFitnessPal account?

Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.

We are taking steps to protect our community, including the following:

11. I think I received an email about this issue. How do I know it is really from MyFitnessPal?

Click here to view the content of our email notice to MyFitnessPal users. Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to the MyFitnessPal Account Security Issue: Frequently Asked Questions and does not request your personal data.

12. I think I received a message about this issue in the MyFitnessPal app. What should I do?

The in-app message from MyFitnessPal contains a link to our notice to MyFitnessPal users about this issue. Click here to view the content of our in-app notice to MyFitnessPal users.

13. What should I do to help protect my information?

We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information. We recommend you:

14. How do I change my password?

You can change your password by logging into our full site at https://www.myfitnesspal.com. Mobile app users should log in using the same username and password they use in the app.

Once you've logged in, click the "My Home" tab, then "Settings," then "Change Password."

If you've forgotten your password, you can request a password reset email by clicking the "Forgot password or username" link on the sign-in screen of our apps, or by visiting this link in a web browser.

Mobile app users who have not yet verified their email address may receive an error when attempting to reset their password using the "Forgot password?" option on the app's login screen. These users can visit this link and enter their email address or username to prompt an email verification request, after which the password request can be made successfully.

15. Will changing my MyFitnessPal password also update my MapMyFitness password?

UPDATED April 2, 2018

We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately. If you are a MyFitnessPal user who created an account after November 2016, changing your MyFitnessPal password will also update the password you use for the MapMyFitness family of apps (Endomondo registration is separate).

16. How can I get help with my MyFitnessPal account?

For help with your MyFitnessPal account, please visit our customer portal.

For U.S. MyFitnessPal Users

Although the affected account information did not include Social Security numbers, driver's license numbers, payment card data or bank account information, we encourage you to remain vigilant by reviewing your account statements and monitoring your credit reports. Below is contact information for the three consumer reporting agencies from which you can obtain a credit report.

Experian Experian Inc.
P.O. Box 9554
Allen, TX 75013
1-888-397-3742 www.experian.com
Equifax Equifax Credit Information Services, Inc.
P.O. Box 740241
Atlanta, GA 30374
1-800-525-6285 www.equifax.com
TransUnion TransUnion LLC
P.O. Box 2000
Chester, PA 19022-2000
1-800-680-7289 www.transunion.com

You also may wish to place a "security freeze" (also known as a "credit freeze") on your credit file. A security freeze is designed to prevent potential creditors from accessing your credit file at the consumer reporting agencies without your consent. There may be fees for placing, lifting, and/or removing a security freeze, which generally range from $5-$20 per action. Unlike a fraud alert, you must place a security freeze on your credit file at each consumer reporting agency individually. For more information on security freezes, you may contact the three nationwide consumer reporting agencies or the FTC as described above. As the instructions for establishing a security freeze differ from state to state, please contact the three nationwide consumer reporting agencies to find out more information.

The consumer reporting agencies may require proper identification prior to honoring your request. For example, you may be asked to provide:

You can contact the FTC to learn more about protecting your personal information. The contact information for the FTC is below:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft/

For Rhode Island residents: You may obtain information about protecting your personal information from the Rhode Island Office of the Attorney General at:

Rhode Island Office of the Attorney General
Consumer Protection Unit
150 South Main Street
Providence, RI 02903
(401)-274-4400
http://www.riag.ri.gov

You have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $10 to place a security freeze on your account, and may require that you provide certain personal information (such as your name, Social Security number, date of birth, and address) and proper identification (such as a copy of a government-issued ID card and a bill or statement) prior to honoring your request for a security freeze. There is no charge, however, to place, lift or remove a security freeze if you have been a victim of identity theft and you provide the consumer reporting agencies with a valid police report.