Data without a place to put it is just bits of nothing, floating in space or siloed into one-off devices. The fitness trackers of the modern age, from smartwatches to fitbits to activity information collected from the gyroscopic sensors insides phones that counts steps, are all data with a purpose, meant to be fed into a greater portrait of what an individual does, a thousand tiny measurements aggregated into a portrait of health. Keeping that data secure and useful is the task of whatever app a person chooses to take on that burden.
Under Armour, which owns MyFitnessPal, a device-agnostic fitness data collector and aggregator, announced on Thursday that the app suffered a data breach which affected 150 million users. (To grasp the scale of that, it’s a number of users equal to slightly more than the entire population of Russia, or a number of users equal to a little less than half the population of the United States. It is also 2 percent of the estimated world population). What is the security world to make of the breach?
It is hard to suss out exactly the demographics of MyFitnessPal users; fitness apps trend younger in the population while calorie counters trend older, and MyFitnessPal is both. It’s safe to say that a significant amount of those 150 million users are likely American, and that at least some of those users are service members. And if that’s the scale of the breach, it’s entirely possible that included in the captured information are a .mil or .gov email address and a login that doubles as the user’s own password to that email account.
The breached information includes passwords, usernames, and emails. Stolen passwords, usernames, and emails can be sold to nefarious actors or mined to find new ways into familiar targets. The same person using the same password, username, and email between multiple services is a exhaustingly common practice, which means one identified set of logins for a person can possibly open multiple accounts.
Still, this could have been a lot worse. We’ve seen what information can be gleaned from a published map built on aggregated user fitness data, which includes things like forward operating bases or Patriot missile sites. Strava has since changed its policy to make private information disappear from maps in monthly updates, and has taken some measures to hide lightly used routes. (It is also worth noting that Strava’s fitness data remains controlled by Strava, and most of the concern focused on the published maps, rather than the hypothetical of what that lost data could mean. As of this writing, we have no indication that any of the fitness data collected by Strava has fallen outside of Strava’s control).
That fitness data itself has not yet been stolen and used for some hostile purpose does not preclude the possibility that someday it might. Hackers armed with stolen logins may try and see if there’s a back way into MyFitnessPal. Different attackers in another attempt may instead hit the fitness data first (though payment data remains the meatier target). And then, once they have that data, what might be done?
As Christina Boddington noted at Slate:
Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when. And it’s an important reminder that all of your most personal data is vulnerable to being hacked, no matter how trivial it seems. Our smartphones, wearables, and apps are gathering millions of data points about our lives on a daily basis. Things like your calorie intake and step count may not seem valuable to a hacker. But paired with other information gathered by a fitness tracker, such as where you worked out or how long you were away from home, those insignificant data points can paint a valuable picture of who you are.
In the aggregate, fitness data can reveal locations of facilities, behaviors in places. In the particular, fitness data can create an in-depth portrait of a single person, patterns of a daily life that indicate everything from where they walk to the dog to what time of day they likely took a lunch break and left their computer unattended.
For individuals, the salient point is that cybersecurity is everyday security, that everything annoying about changing passwords and usernames is in fact useful (password managers in particular are a great help here). Personal cyber security isn’t once-and-done but a lifelong practice, because eventually some company will lose key data, and it’s best to minimize the damage with each breach, so that stolen logins for fitness tracking isn’t a gateway into personal finances or anything else. One breach does not equal a national security event.
In the broader picture, the targeting of a fitness company may have just been one of opportunity. Or it may be a specific effort to get access to vast amounts of data about more people than live in most countries, and to then turn that data into some useful tool for future exploits.