See, most comments here are a bit on the side of So what? Who cares?, but fitness data is health data and health data is considered extra sensitive. And I guess rightly so, because of this: http://www.tearsheet.co/data/allstate-is-watching-you-how-th...
My prediction is that most health-related apps will be regulated in the near future. It's already happening with the GDPR to some extend, which classifies health data as sensitive requiring extra protection (and extra consent from users).
A breach like that (if fitness data was leaked) could result in heavy fines under GDPR (or something like the Medical Device Regulation, which is starting to extend to medical/health apps), if it becomes clear that the company didn't take security seriously enough.
I'm 36, is this a generational thing?
I used to be really insecure about being nude - I requested, and got permission to, change somewhere besides the locker room in middle school - but I think I don't care anymore, and I don't really know when this change came about.
In most cases, when I send _anything_ to anyone, I do so accepting the fact that it may one-day end up as public knowledge. That hasn't stopped me from the occasional drunk tweet, but I won't send naked photos of myself to anyone, even privately. If I hadn't regained the 25 lbs I lost last year using MyFitnessPal, I might not mind as much.
That said, I also do my banking online, so I'm not exactly strict about it.
I wouldn't say so. I'm significantly younger than you and I feel the same way.
I signed up with completely fake info, and a email address only for myfitnesspal, My account has no photos, very little to no personal info, only a food/exercise log, recipes, and weight records.
Sad to see soo many in this thread seemingly not care about personal privacy anymore. Privacy has died an no one even cares.
//Late 30's in age
I'm kinda into it TBH.
From my perspective, what's the worse that could happen? Russia already has my dick pics, probably. If someone sent them to my mom, I'd say, "mom, don't look at those." If they sent them to my employer, I'd say "hey guys, looks like I was hacked lol." Probably wouldn't be fired over it and if I was I could just get a different job. If it somehow blew up on the internet I'd just become an anonymous remote contract worker or something.
This is kind of a fun exercise in threat management actually, the threat being my dadbod being exposed. Maybe I'm not taking it seriously enough? I know people that have had naked pictures of them exposed and it was traumatizing for them. For some reason I just don't think it would be for me.
EDIT: That's not to say the exposure wouldn't be an objectively shitty thing to do... just because I think I can handle it doesn't mean anybody else should have to worry about this kind of thing happening to them.
This leak disappoints me because my oat obsession should be known only by those who truly know me, like my family and the NSA.
I still am annoyed it doesn't open on diary by default. The picture+weight feature is nice though. Wish it let me track bodyfat too. As told I've got about 4 apps I use for fitness now:
MFP for food/calorie, weight, and picture tracking
Google Fitness for cardio maps and timing, and total gym time tracking. Also fun that it automatically records my bike rides. Not fun that I have to manually change my motorcycle rides from bike rides into not bike rides (when was the last time somebody got a bicycle up to 90mph on 280? shrug). Also track weight in there because I'm convinced one day google will implement some badass machine learning and I want the data there for when it happens.
"FitNotes" for setting lift routines and tracking weight in lifts. Also used for tracking bodyweight and bodyfat (only app in my list that tracks bodyfat). I add my bodyweight in there because it's cool to compare graphs of bodyweight to lifted weights. I've had great email conversations with the developer, he has a fantastic, simple development philosophy, and he has kept his app free for years now, with no ads or other BS.
Newly added "goodtime" for just a simple timer that will vibrate after 2 minutes, my break time between lifts. It was remarkably hard to find an app that just did this, as my default android alarm timer was tied to my alarm tone, so i'd have to switch it to vibrate and back when working out. Missed a morning alarm once before I decided enough of that...
Overall, the execution is good. I love the integration with iOS activity which means all my Strava and watch+activity and Wahoo cycling computer activities are tracked/integrated. I thought it would be a massive PITA and avoided tracking for years and years because of this, but I'm at something like 120 days straight and it's been a breeze.
I'm under the impression it's the best nutrition tracking app.
I've moved on to iHealth for tracking weight and exercise amounts, which I used MyFitnessPal in the past. This information is still in MyFitnessPal, and I will sometimes look at the graphs there, but not often. Apple Watch and a Bluetooth scale are great for the quantified self.
If you care about much more then Cronometer is commonly considered the best.
At least we didn't get the stereotypical "your passwords are hashed, so nothing to worry about" one liner I've been reading from a lot of companies during disclosures. All they said here is that the passwords are hashed and with a reasonably secure method -- bcrypt (although without knowing work-factor and percentage of passwords, it is hard to know just how strongly).
It has become pretty difficult to operate online these days without password managers. Password reuse has become a massive problem that worsens with each breach at a popular service. With a password manager you can just rotate the randomly generated password since you likely didn't know your old one anyway.
Off Topic: I'm surprised nobody makes a hardware "pepper"[0] that supports popular algorithms. Meaning you hash the password as you normally would (inc. salt) and then send it through the pepper-ing device for another round before storing it. That way even if someone stole the database, knew the salt, and the hashing algorithm+work-factor, they'd still lack the hardware pepper making their job significantly harder.
The “majority” of the passwords was hashed with bcrypt. https://content.myfitnesspal.com/security-information/FAQ.ht...: ”The MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function.”
That majority could be as low as 50.0000001%. I also couldn’t find how many accounts were affected. I guess they don’t know, so we must assume all of them.
It could only be that low if they have about half a billion user accounts.
Speaking of proper password hashing--are there any methods similar to bcrypt but where you can increase the work factor on the currently stored passwords without having to have access to the plain password?
E.g., suppose you have a database of hashed passwords with work factor 4. You want to up the work factor to 6. The usual way to do this that I've seen is to start using 6 for new passwords, and when people with existing passwords log in you verify the password with the 4 hash, and then before discarding the plain password you 6 hash it and update the database with that.
But that leaves 4 hash password still working for however long it takes people to get around to logging in. If you are raising the work factor it is presumably because you think the old work factor is no longer secure enough, so you probably don't want the old 4 hashes to keep working.
You could remove the 4 hashes of anyone who doesn't login and get updated within a reasonable time, making them go through the "forgot my password" routine, but that will annoy them. Hence, my curiosity about ways to updated the work factor more directly.
There's a kludge way to kind of do it. Go through the database, take all the 4 hashes, and treat those hashes as if they were the passwords, and 6 hash those and store them, along with a flag that marks this as a transitional password. When a user with such a password logs in, you 4 hash their plain password, 6 hash the result, and if it matches, you then 6 hash the plain text password and store the hash, and remove the transitional flag. But this is really quite ugly.
algo | hash
bcrypt(hardness=2,input=INPUT + 23423526) | 938240
bcrypt(hardness=3,input=INPUT + 342352643) | 239223
algo | hash
bcrypt(hardness=3,bcrypt(hardness=2,input=INPUT + 23423526)) | 23423423
bcrypt(hardness=3,bcrypt(hardness=3,input=INPUT + 342352643)) | 90192902
bcrypt(hardness=3,938240) = 23423423
bcrypt(hardness=3,239223) = 90192902Interestingly, a similar scheme could be used to offload some of the hashing work to the client machine - send the first salt to the client and have them do the 4 hash, then do a serverside 2 hash on the client's result.
Well, I suppose it wouldn't, would it? Is this supposed to be impressive?
How many more of these before serious legislation gets through?
EDIT: Plus, like someone pointed out below, Facebook collected a lot of data that it shouldn't and didn't declare as well.
I don’t think there’s anything odd about clarifying that certain data wasn’t compromised.
/s
So it propably doesn't hurt to mention?
I never agree to sharing my email address with partners, so if that's the case, then it was without my consent.
However generally speaking, I've noticed there's a big difference in the spam you get from somebody selling your data and the spam you get from a database compromise. When somebody sells your data, you get spam from real organisations who happen to be acting in a sleazy way (e.g. bulk promo emails sent to people without their consent). When somebody's database gets compromised, you get things like phishing emails and V14gr4-style emails designed to bypass spam filters. The MyFitnessPal spam was the latter sort.
Here's an example:
****Quailty Medstore 2017****
--Low Pr1ce$ For Pills--
--Fsat Delivery Wroldwide--
--Trusetd Onlline Shhop--
<spam URL redacted>
[0] https://www.reddit.com/r/unitedkingdom/comments/888ds3/under...
If you have your own domain name, you can set up a catch-all address, so if you own example.com, then you can register on websites and in apps with somewebsite@example.com instead. This works everywhere.
You can then look at what email address an email was addressed to to see how the sender got hold of your email address, and you can filter and block future emails based on that address as well. So if, for instance, you've registered with MyFitnessPal with myfitnesspal@example.com, then you can cut off everybody who's got hold of your email address via the MyFitnessPal breach with 100% effectiveness using one spam rule.
realemailaddress+myfitnesspal@example.com
realemailaddress+0f3eda@example.com
Of course, some services don't allow a + in the email address so this only goes so far.
If you want to get slightly fancier, you could use your own domain and a catchall alias that sends everything to your real mailbox. That lets you use an address that doesn't have any obvious relationship to your real email address, apart from the domain name.
If you want to get ultra fancy, you could run your own mail server and set up a process to generate unique email addresses on the fly and keep track of which service was given which address. This is really just attaching some automation to the previous example, possibly using 'real' mailboxes for the incoming email.
Better change it, sigh...
Hello,
Thanks for writing into us regarding https on MyFitnessPal.
We have technical and organizational measures in place to protect your information. Specifically, we have a secure login process designed to protect your information as you access MyFitnessPal (i.e., login and profile data are submitted using HTTPS POST actions).
The login pages of the MyFitnessPal that are encrypted via https include:
http://www.myfitnesspal.com http://www.myfitnesspal.com/login http://www.myfitnesspal.com/logout
Although our home page at http://www.myfitnesspal.com may not indicate the presence of https in your browser's interface, the actual login "lightbox" or pop-over window on the home page does send your login credentials via https.
After login, the MyFitnessPal website does not always load in HTTPS only mode (i.e. padlock not fully closed or green). This is because we sometimes load public content like images, public text from Under Armour, images & text from our advertising partners, and other non-user data using HTTP. While we load that public content using HTTP, we load user content using HTTPS.
We also continue to evaluate the security of our platforms, and have a dedicated team of cybersecurity professionals focused on this area. We will continue to review our security protocols to protect personal data.
Please let us know if you have additional questions or concerns.
Side note: MyFitnessPal the app is awful, but many of us still use it because it has the most extensive database of food products out there. Outside of that it has no merit and has felt abandoned in forever. Can someone recommend an actually superior alternative?
MyFitnessPal has a similar advantage to Google, they have the most and richest data, and anyone else entering that market starts at a huge disadvantage. You could definitely make a FOSS app of the core tracking concept, it is just going to be super painful to use compared to MyFitnessPal.
Which is just why breach of this data is dangerous.
Make it more costly to get fined than it is to get hacked. Or some white collar jail time if it wss negligence or covering it up.
"Oh hi users, the things you gave to us and we were supposed to keep safe, well, someone came and took them."
Say the bank sent all their customers a similar message, how would their customers be expected to react? Why is it any different in the tech industry?
Basically these apology messages amount to: "Someone accessed your private stuff, please change the special key you use to access your stuff. End."
Should there be more to this than just that? Yes you'll make sure the locks are stronger, but what about that thing I've now lost? What are you going to do about that?
You mean like when Home Depot lost thousands of credit card numbers? Or when Target did the same? Or when Equifax lost millions of people's private data?
The response is always "Welp, sorry! We'll do better next time!" and the tech industry isn't alone here.
I really appreciate them including this information. It shows they’re following best practices and I don’t need to read the rest of the article with a grain of salt.
>The affected information included usernames, email addresses, and hashed passwords
It included usernames, emails, and hashed passwords? So what else was breached? This seems like they are implying nothing serious was stolen without giving specific info.
From what I have seen very very few companies have strictly separated databases for different types of data and so on.
For the vast majority of companies a compromise is an all or nothing event.
[1] http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data...
Use of a salt makes all the difference, guarding against the use of rainbow tables to look up precomputed hashes of common passwords.
If they're using bcrypt, then they're using salts since salts are built in to bcrypt.
I thought to myself - on the face of it they don't seem to hot on security, I wonder how long it will be before they get hacked or something?
Well, I wasn't expecting less than 24 hours.
Can anyone more versed in this do a quick look for abnormal behavior?
E.g. I don't think i would really care about pics of my dick being made public, but plenty of women get routinely harrassed (often to the point of sexual assault or suicide) because of sexy selfies some idiot shared with friends.
Those of you affected by this breach, have you noticed any unusual spam/emails recently, that may be related to MFP? I’m wondering if they got the tip-off from their users.