MyFitnessPal is an app and website that tracks nutrition and exercise information to improve overall user fitness. On March 25, MyFitnessPal became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts sometime in late February. The data breach posed a risk to its 150 million users and provides lessons for software developers.
The affected information appears to be hashed usernames, hashed e-mail addresses, and hashed passwords. MyFitnessPal also collects payment information when a user wants to access premium features, but payment information was not considered at risk because it is processed separately. No government-issued identifiers (e.g. social security numbers) were at risk because MyFitnessPal does not collect that information.
The hashed passwords were protected with bcrypt, a 184-bit hashing function, while the usernames and passwords were protected with SHA-1, a 160-bit hashing function, which is easier to crack than bcrypt. One attorney not involved in the potential class action against MyFitnessPal commented, “If you have 12 doors, why would you put double locks on 11 doors, but then put an easily-picked lock on the twelfth door? Why would a company use a weaker security regime on protecting names and email addresses?”
The SHA-1 encryption method has been considered insecure for some time. The National Institute of Standards and Technology (NIST) started discouraging the use of SHA-1 for digital signature generation since 2011 and prohibited its use for digital signature generation beyond December 2013. The viability of this hashing algorithm took a further blow in February 2017 when Google and CWI, the Netherlands’ national research insitute for mathematics and computer science, created two files that hash to the same value using SHA-1, meaning that the hashing function does not produce reliably-unique hashes.
Eagle Consulting recommends that software developers follow the latest NIST recommendations for cryptographic algorithms, NIST SP 800-131A Rev. 1, as well as the OWASP password storage principles for the storage of user credentials.