Somebody is about to come across 250 pictures of me in my boxers standing in front of a dirty mirror with my belly popping out. I only hope they don't judge me for the size of my belly not really changing over those 250 days...
They won't judge you, but your health insurance rate might go up for unspecific reasons.
See, most comments here are a bit on the side of So what? Who cares?, but fitness data is health data and health data is considered extra sensitive. And I guess rightly so, because of this: http://www.tearsheet.co/data/allstate-is-watching-you-how-th...
My prediction is that most health-related apps will be regulated in the near future. It's already happening with the GDPR to some extend, which classifies health data as sensitive requiring extra protection (and extra consent from users).
A breach like that (if fitness data was leaked) could result in heavy fines under GDPR (or something like the Medical Device Regulation, which is starting to extend to medical/health apps), if it becomes clear that the company didn't take security seriously enough.
Insurance companies are tightly regulated by state and federal authorities. There is zero chance they would break the law by using illegal data to change pricing for a tiny fraction of their members. And even if they could legally use the data, their actuaries would have a tough time actually using it considering the lack of research about how fitness activities impact claims expenses.
Most EMR (electronic medical records) software isn't even regulated, though about 8-10 years ago there was a big todo about it coming down the line. Still hasn't happened. I would expect the EMRs to be regulated long before consumer apps.
Most EMR vendors specifically design their products to not be medical devices. They simply store, display, and transmit patient charts. If the FDA was to regulate EMRs as medical devices then logically they would also have to apply the same rules to filing cabinets and fax machines.
If they are used to store protected health information it’s the practice’s duty to make sure they comply with HIPAA regulations. So for example can’t leave that file cabinet unlocked out in the front lobby.
When I was looking to make an app for a clinic they had to do a security review of the app. If the data wasn’t encrypted at rest it was a no-go. There are entire data companies sprouting out to address this issue. I think TrueVault is a Y-Combinator alum.
Aah, gotcha. Well if the FDA medical device regulations don’t cover it, is there not still the possibility of some other regulation still effectively covering it?
For example something like, the way my device functions may not be regulated but the use of my device by a medical provider is regulated.
Hi, even if a data breach hadn't happened, did you have any concerns about people within the company having access to those photos? I also use myfitnesspal and strava but I have a strong aversion to sharing that kind of info with anyone, period.
I'm 34, and I don't care. I also tend to walk around naked, without much care if someone spots me through a window - though I try not to obviously flash the neighbors through the kitchen window, which is the only real direct easy sightline.
I used to be really insecure about being nude - I requested, and got permission to, change somewhere besides the locker room in middle school - but I think I don't care anymore, and I don't really know when this change came about.
Same here - my new roommate is constantly closing the blinds at night because he doesn't want the old lady in the building across from us see us sit around and play video games, I guess.
I remember refusing to shower after the gym because I didn't want people to see my wiener.
I think it changed when my friend's bathroom's door lock was broken. His brother was about to go in and was the kind of guy that liked to announce it before doing so. I warned him about the door, and he goes "so?" I remember being very surprised he didn't care, so I ask "Well, what if someone walks in on you taking a dump?"
He laughs. "I'd say, 'get out of here, I'm taking a dump!'"
That was nearly 18 years ago and it sticks in my mind so well.
Back in Roman times you'd go to the communal bathroom with your friends, sitting side by side and having a chat while doing your business. They didn't even bother with cubicles back then.
Yes well should we talk about other things that happened back in Roman Times....
>>>sitting side by side and having a chat while doing your business. They didn't even bother with cubicles back then.
Please please lets not bring that back.... restrooms are not a meeting space, I dislike it when people attempt to talk to me at the sink when washing my hands, no restrooms are not a meeting space....
I definitely understand your discomfort! That's not something you should have to do if you don't like it.
I'm curious though, what happens if instead of reading the sentence like "back in Roman times, you read it like this:"
In rural India, it's typical for people to sit side-by-side and have a chat while doing your business. Sometimes they don't bother with cubicles there.
Or, maybe:
Wildfire firefighters, while on a line, typically squat side-by-side while doing their business. No cubicles in the wilderness.
If you don't think of it like a generational difference, and instead a cultural one, what are your thoughts? I only ask because I used to feel the same way until I witnessed #2. Sometimes it's just a mindset change, or cultural difference.
Exactly. Even moreso, he made me realize there was nothing to fear. This "what's the worse that could happen, and how must I react" mindset has carried across to so many things for me.
What's the worse that could happen if someone walks in on my taking a dump? Well... I guess they'll have seen me taking a dump! And I'll tell them to leave!
What's the worse that could happen in this cold call? Well, I guess he could call me an asshole and hangup, and I'll make another call!
What's the worse that could happen if I ask for a raise? I get told no, and continue on with my day!
I'm almost 40 and this sort of thing doesn't bother me whatsoever. If someone wants to spend months flipping through billions of photos of strangers who are trying to lose weight, I couldn't possibly be bothered by it.
In most cases, when I send _anything_ to anyone, I do so accepting the fact that it may one-day end up as public knowledge. That hasn't stopped me from the occasional drunk tweet, but I won't send naked photos of myself to anyone, even privately. If I hadn't regained the 25 lbs I lost last year using MyFitnessPal, I might not mind as much.
That said, I also do my banking online, so I'm not exactly strict about it.
There is some old joke. If you suddenly woke up naked in the street and you only had a small square of cloth. What would you cover ? Answer: your face.
I'm 34 and I've never had photos developed. When I was old enough (14-15?) to care about taking pictures of things I had one of those Sony Mavica floppy disk cameras that could hold something like, I dunno, 30-50 pictures.
But, on the flip side, every time I goto Walgreens there's people getting photos developed.
No, it didn't. But you took the chance the individual at that location was supremely interested in certain types of photos, whereas now if a '10x' developer was given access to a large amount of data they could zone in on what they want.
Upon writing my concerns out I am struck by how narcissistic and unlikely it sounds, but I still think I'd be a bit queasy when I click upload.
I'm 9 years your junior and I wouldn't care if pictures of me fully naked were all over the internet, but at the same time I'm a privacy freak. I think the division for me is: my image says nothing about me other than my love of gluttony, but my words and actions are my identity.
I guess it's a philosophical issue, but I would consider my physical image to be a part of my identity. In a way it's a reflection of a person's actions.
Even if you don’t personally identify with it, your love of gluttony can be used by others to identity you. So in that sense it’s a part of your identity.
>> I also use myfitnesspal and strava but I have a strong aversion to sharing that kind of info with anyone, period.
I signed up with completely fake info, and a email address only for myfitnesspal, My account has no photos, very little to no personal info, only a food/exercise log, recipes, and weight records.
Sad to see soo many in this thread seemingly not care about personal privacy anymore. Privacy has died an no one even cares.
I think it's entirely personal, and I wouldn't judge anybody for being less, er, voyeuristic than me.
I'm kinda into it TBH.
From my perspective, what's the worse that could happen? Russia already has my dick pics, probably. If someone sent them to my mom, I'd say, "mom, don't look at those." If they sent them to my employer, I'd say "hey guys, looks like I was hacked lol." Probably wouldn't be fired over it and if I was I could just get a different job. If it somehow blew up on the internet I'd just become an anonymous remote contract worker or something.
This is kind of a fun exercise in threat management actually, the threat being my dadbod being exposed. Maybe I'm not taking it seriously enough? I know people that have had naked pictures of them exposed and it was traumatizing for them. For some reason I just don't think it would be for me.
EDIT: That's not to say the exposure wouldn't be an objectively shitty thing to do... just because I think I can handle it doesn't mean anybody else should have to worry about this kind of thing happening to them.
It doesn't say 'only' - it implies by omission that your content was not part of the breached data, but does not assert it. It says the data breach 'includes' usernames, emails and passwords.
> The affected data did not include government-issued identifiers, such as Social Security numbers and driver’s license numbers, information that the app does not collect from users
Well, I suppose it wouldn't, would it? Is this supposed to be impressive?
How many more of these before serious legislation gets through?
I don't think it's supposed to be impressive as much as just reassuring users who are uneducated about that kind of thing. I guarantee someone read this post and started being concerned that it had that information because they don't know how this stuff works.
EDIT: Plus, like someone pointed out below, Facebook collected a lot of data that it shouldn't and didn't declare as well.
That’s a facile complaint. There are obviously classes of data that are far more sensitive than others; a breach of usernames and hashed passwords, while serious, is arguably distinct from a compromise of more sensitive information.
I don’t think there’s anything odd about clarifying that certain data wasn’t compromised.
> It also doesn't include your mother's maiden name, nor does it include your browsing history, email dump, or your camera roll - information that the 'app does not collect from users'
At least we didn't get the stereotypical "your passwords are hashed, so nothing to worry about" one liner I've been reading from a lot of companies during disclosures. All they said here is that the passwords are hashed and with a reasonably secure method -- bcrypt (although without knowing work-factor and percentage of passwords, it is hard to know just how strongly).
It has become pretty difficult to operate online these days without password managers. Password reuse has become a massive problem that worsens with each breach at a popular service. With a password manager you can just rotate the randomly generated password since you likely didn't know your old one anyway.
Off Topic: I'm surprised nobody makes a hardware "pepper"[0] that supports popular algorithms. Meaning you hash the password as you normally would (inc. salt) and then send it through the pepper-ing device for another round before storing it. That way even if someone stole the database, knew the salt, and the hashing algorithm+work-factor, they'd still lack the hardware pepper making their job significantly harder.
That majority could be as low as 50.0000001%. I also couldn’t find how many accounts were affected. I guess they don’t know, so we must assume all of them.
They probably do know, and practically speaking I would guess that those accounts using an older hash are those which nobody has logged into since they switched to bcrypt. Yeah, we don’t know for certain, but it’s a reasonable assumption.
> All they said here is that the passwords are hashed and with a reasonably secure method -- bcrypt (although without knowing work-factor and percentage of passwords, it is hard to know just how strongly)
Speaking of proper password hashing--are there any methods similar to bcrypt but where you can increase the work factor on the currently stored passwords without having to have access to the plain password?
E.g., suppose you have a database of hashed passwords with work factor 4. You want to up the work factor to 6. The usual way to do this that I've seen is to start using 6 for new passwords, and when people with existing passwords log in you verify the password with the 4 hash, and then before discarding the plain password you 6 hash it and update the database with that.
But that leaves 4 hash password still working for however long it takes people to get around to logging in. If you are raising the work factor it is presumably because you think the old work factor is no longer secure enough, so you probably don't want the old 4 hashes to keep working.
You could remove the 4 hashes of anyone who doesn't login and get updated within a reasonable time, making them go through the "forgot my password" routine, but that will annoy them. Hence, my curiosity about ways to updated the work factor more directly.
There's a kludge way to kind of do it. Go through the database, take all the 4 hashes, and treat those hashes as if they were the passwords, and 6 hash those and store them, along with a flag that marks this as a transitional password. When a user with such a password logs in, you 4 hash their plain password, 6 hash the result, and if it matches, you then 6 hash the plain text password and store the hash, and remove the transitional flag. But this is really quite ugly.
I think at least Django stores passwords with an additional field that defines the algorithm used to generate the hash of the password. One could think of a case where instead of algorithm selection you could properly define a simplistic DSL that actually defines how the hash is generated:
Another slightly kludgey option would be to generate a second salt for each user, then 2 hash each hashed password in your database. When the user logs in, you 4 hash with the original salt and 2 hash with the new one each time.
Interestingly, a similar scheme could be used to offload some of the hashing work to the client machine - send the first salt to the client and have them do the 4 hash, then do a serverside 2 hash on the client's result.
I initially really liked the idea of a hardware pepper, however, if that ever goes defunct or you need to spread the load over multiple machines the password now is invalid and the user is stranded and forced to recover their account via email or some other means. I think there are definitely areas where a hardware pepper would be awesome though!
Should be a fine every time this happens and a major fine if it was found due to negligence or not having the appropriate security measures aka yahoo. Yahoo leadership new they were understaffed, cut staffing anyways, got rid of any executive who disagreed, and got no penalty for their mistakes.
Make it more costly to get fined than it is to get hacked. Or some white collar jail time if it wss negligence or covering it up.
The GDPR will cover that. And those fines are massive. It's not going to be a magic bullet against breaches but the effect will definitely be that companies will start to see security no longer as optional or an afterthought but a direct liability if not taken care of properly.
The MyFitnessPal database has been compromised for years. I register with a unique email address for every website and app that I use so that I can tell when somebody's database gets compromised or they sell my data. I started getting an influx of spam to my MyFitnessPal email years ago. I told them about it at the time but they didn't care.
I never agree to sharing my email address with partners, so if that's the case, then it was without my consent.
However generally speaking, I've noticed there's a big difference in the spam you get from somebody selling your data and the spam you get from a database compromise. When somebody sells your data, you get spam from real organisations who happen to be acting in a sleazy way (e.g. bulk promo emails sent to people without their consent). When somebody's database gets compromised, you get things like phishing emails and V14gr4-style emails designed to bypass spam filters. The MyFitnessPal spam was the latter sort.
This was sent to an email address I've only ever given to MyFitnessPal. MyFitnessPal say the breach happened in late February of this year, but this email was sent in August of last year.
As mentioned in the Reddit thread, the terms now specify that that they share your data with partners. I guess the consent they got from you was "Oh hi, so here's the new version of the app, btw we updated our policies, click anywhere to agree".
It seems like a lot of people think that the existence of a privacy policy means they can do whatever they want. This isn't true.
Did you read the privacy policy? It says:
> only to the extent it is necessary for them to (1) provide their products and services to us, or (2) to provide you the products and services that you have requested.
This certainly doesn't cover the kind of spam I mentioned.
Also, I stopped using the app before that privacy policy was ever written. I've searched my email and they never emailed me about it either. I've never been notified about a new privacy policy.
However generally speaking, I've noticed there's a big difference in the spam you get from somebody selling your data and the spam you get from a database compromise
Even if this is true, the sold data may be compromised further down the line.
Perhaps so. As far as I'm concerned, MyFitnessPal and Under Armour would still be responsible in this case. If you share my personal data with somebody, and their security isn't good enough, that's on you.
The way most people do this is with plus addressing. If your mail provider supports it (e.g. Gmail does), you can send email to someuser+somewebsite@example.com and it will be delivered to someuser@example.com. There are a minority of websites and apps that reject emails like that, but they are quite rare and the vast majority don't have any issue with it.
If you have your own domain name, you can set up a catch-all address, so if you own example.com, then you can register on websites and in apps with somewebsite@example.com instead. This works everywhere.
You can then look at what email address an email was addressed to to see how the sender got hold of your email address, and you can filter and block future emails based on that address as well. So if, for instance, you've registered with MyFitnessPal with myfitnesspal@example.com, then you can cut off everybody who's got hold of your email address via the MyFitnessPal breach with 100% effectiveness using one spam rule.
With some email providers you can add something after your email address like this:
realemailaddress+myfitnesspal@example.com
Or:
realemailaddress+0f3eda@example.com
The assumption here is that you have something to keep track of what code you've assigned to what service.
Of course, some services don't allow a + in the email address so this only goes so far.
If you want to get slightly fancier, you could use your own domain and a catchall alias that sends everything to your real mailbox. That lets you use an address that doesn't have any obvious relationship to your real email address, apart from the domain name.
If you want to get ultra fancy, you could run your own mail server and set up a process to generate unique email addresses on the fly and keep track of which service was given which address. This is really just attaching some automation to the previous example, possibly using 'real' mailboxes for the incoming email.
"Oh hi users, the things you gave to us and we were supposed to keep safe, well, someone came and took them."
Say the bank sent all their customers a similar message, how would their customers be expected to react? Why is it any different in the tech industry?
Basically these apology messages amount to: "Someone accessed your private stuff, please change the special key you use to access your stuff. End."
Should there be more to this than just that? Yes you'll make sure the locks are stronger, but what about that thing I've now lost? What are you going to do about that?
You mean like when Home Depot lost thousands of credit card numbers? Or when Target did the same? Or when Equifax lost millions of people's private data?
The response is always "Welp, sorry! We'll do better next time!" and the tech industry isn't alone here.
I wonder if the daily progress photos were leaked as well. I imagine most people won't be thrilled to have their not-too-flattering progress selfies be out in public for the whole world to see.
Side note: MyFitnessPal the app is awful, but many of us still use it because it has the most extensive database of food products out there. Outside of that it has no merit and has felt abandoned in forever. Can someone recommend an actually superior alternative?
What’s wrong with it, out of interest? It seems to work perfectly reliably for me, and I’m super happy that they aren’t getting all change-happy with it.
The iOS app has been pretty good (if a bit buggy and slow), but the desktop web interface is so bad to the point that I haven't used it in over a year -- and I use myfitnesspal daily.
I've definitely had the app perma-crash on me recently, where the only way to get out of the boot-then-crash loop was to delete and reinstall it.
It also fails at the iOS quick access menu about 80% of the time. e.g. you hard-press the app icon, go to "log food" and it goes back to the home page. Or you do the same for "scan barcode" and again most of the time it opens the app and sends you to the home page again. This has been the case for months.
The other comment was flagged but the point I was trying to make is that these two data points of lots of sex and radical weight loss can be interpreted as being promiscuous and getting HIV. Or obviously as a success and success.
Which is just why breach of this data is dangerous.
I begrudgingly use it when I'm focused on losing weight. As soon as I reach my goal, I'm out. It's too frustrating to use it multiple times a day, everyday. I should use it for bulking too, but I'd rather live with the inefficiency of not tracking things perfectly.
This leak disappoints me because my oat obsession should be known only by those who truly know me, like my family and the NSA.
When I first tried it in I think 2011/2012 it was garbage on android. Absolutely unusable. I used "Lose It!" for nearly 5 years because it performed much better, until it started getting extraordinarily slow when doing food searches. So I tried out MFP again and lo and behold, the app had improved tremendously!
I still am annoyed it doesn't open on diary by default. The picture+weight feature is nice though. Wish it let me track bodyfat too. As told I've got about 4 apps I use for fitness now:
MFP for food/calorie, weight, and picture tracking
Google Fitness for cardio maps and timing, and total gym time tracking. Also fun that it automatically records my bike rides. Not fun that I have to manually change my motorcycle rides from bike rides into not bike rides (when was the last time somebody got a bicycle up to 90mph on 280? shrug). Also track weight in there because I'm convinced one day google will implement some badass machine learning and I want the data there for when it happens.
"FitNotes" for setting lift routines and tracking weight in lifts. Also used for tracking bodyweight and bodyfat (only app in my list that tracks bodyfat). I add my bodyweight in there because it's cool to compare graphs of bodyweight to lifted weights. I've had great email conversations with the developer, he has a fantastic, simple development philosophy, and he has kept his app free for years now, with no ads or other BS.
Newly added "goodtime" for just a simple timer that will vibrate after 2 minutes, my break time between lifts. It was remarkably hard to find an app that just did this, as my default android alarm timer was tied to my alarm tone, so i'd have to switch it to vibrate and back when working out. Missed a morning alarm once before I decided enough of that...
It mostly works pretty well and looks okay, though the add actions have inexplicable lag on an iPhone X. The web page is horrendous, though.
Overall, the execution is good. I love the integration with iOS activity which means all my Strava and watch+activity and Wahoo cycling computer activities are tracked/integrated. I thought it would be a massive PITA and avoided tracking for years and years because of this, but I'm at something like 120 days straight and it's been a breeze.
I'm under the impression it's the best nutrition tracking app.
I've moved on to iHealth for tracking weight and exercise amounts, which I used MyFitnessPal in the past. This information is still in MyFitnessPal, and I will sometimes look at the graphs there, but not often. Apple Watch and a Bluetooth scale are great for the quantified self.
I didn't think MyFitnessPal was good enough either so I started working on a chatbot that you can just tell it what you ate in natural language and it will maintain a private web journal for you. I got a basic version to work and then discovered [Nutritionix][1] and lost motivation to compete. They seem to have nailed to web UI part. And they have an NLP input form you can use in the app. So it isn't the same as just texting a bot since you have to open the app, but the NLP is pretty good. And the UI for verifying what the NLP comes up with is also good. After researching every app I could find in this space Nutrionix stands as my favorite.
> The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.
I really appreciate them including this information. It shows they’re following best practices and I don’t need to read the rest of the article with a grain of salt.
It's funny you would mention that because I also got annoyed by this and submitted a feature request for https. This is the response I received:
Hello,
Thanks for writing into us regarding https on MyFitnessPal.
We have technical and organizational measures in place to protect your information. Specifically, we have a secure login process designed to protect your information as you access MyFitnessPal (i.e., login and profile data are submitted using HTTPS POST actions).
The login pages of the MyFitnessPal that are encrypted via https include:
Although our home page at http://www.myfitnesspal.com may not indicate the presence of https in your browser's interface, the actual login "lightbox" or pop-over window on the home page does send your login credentials via https.
After login, the MyFitnessPal website does not always load in HTTPS only mode (i.e. padlock not fully closed or green). This is because we sometimes load public content like images, public text from Under Armour, images & text from our advertising partners, and other non-user data using HTTP. While we load that public content using HTTP, we load user content using HTTPS.
We also continue to evaluate the security of our platforms, and have a dedicated team of cybersecurity professionals focused on this area. We will continue to review our security protocols to protect personal data.
Please let us know if you have additional questions or concerns.
It's hard to believe that not only are they this clueless, but they also are trying to justify their idiotic decisions. Jesus, how hard can it be to set up TLS? Let's Encrypt, anyone?
That's an extremely embarrassing response. Helps me understand how this data breach occurred if an organization is this uninformed about basic security.
GDPR, the new EU Data Protection legislation, will actually require companies to issue notification of a breach of PII, within 7 days of becoming aware of it, I believe.
That only applies to notification to the data protection authority unless the breach "is likely to result in a high risk to the rights and freedoms of natural persons".
>The affected information included usernames, email addresses, and hashed passwords
It included usernames, emails, and hashed passwords? So what else was breached? This seems like they are implying nothing serious was stolen without giving specific info.
"On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts" => highly likely they stole more than what MFP thinks they stole.. we don't know what we don't know. Sigh.
Ah, I had an account here. Checked Lastpass, and, great!
They've got my six character don't-care-about-MyFitnessPal-security password. bcrypt will not save its secrecy in any way, but it hardly matters.
Props for them doing the right thing and hopefully nothing bad comes out of it - looks like they’ve built a useful product. One thing that’s odd to me on many levels though is that it was their Chief Digital Officer signing the announcement and not their head of security. Don’t they have one? Wasn’t this severe enough? I know it’s just perception but still!
Presumably yes. The site of the guy who sued FB has a template you might be able to reuse[1], although it mentions the Irish implementation of the Data Protection directive, whereas Under Armour Europe B.V. is Dutch, so you should probably change that.
The biggest limitation seems to be getting the nutrient information itself. MyFitnessPal has a huge database of off the shelf food products built in (and restaurants) from all over the world. Much of that information provided to the company for free by its users.
MyFitnessPal has a similar advantage to Google, they have the most and richest data, and anyone else entering that market starts at a huge disadvantage. You could definitely make a FOSS app of the core tracking concept, it is just going to be super painful to use compared to MyFitnessPal.
I understand that bootstrapping the database is probably the hardest part, but I haven't been so confident in MyFitnessPal's database anyways. It seems crowdsourced without much quality control and it is hard to trust. There is also the "too much specificity" problem. I don't always want to choose a certain restaurant's version of a food item when I could probably have a decent first pass at the nutrient levels using a generic version of the food item.
You're absolutely right about datasets being a constraint for any new entrant. The USDA SR28 is free and open but limited scope. OpenFoodFacts has a great dataset overall but ~~you can't download it (other than rate-limited scraping),~~ the license is ~~strict~~ share-alike; and there isn't an OFF personal consumption tracker.
No need to scrape Open Food Facts, they kindly offer a download of the whole database as csv, rdf or mongodb dump: https://world.openfoodfacts.org/data
It is 100% crowd sourced open data under the ODbL licence (same as OpenStreetMap).
Thanks for that correction. I recall there being a clear reason why I couldn't use their data in my app. But maybe I had it wrong. I remember reading that if my app collected new data about foods and I was using the OFF db, I had to commit to making all my data free and open. I was worried about the possible case that personal food consumption data would be vulnerable to that share-alike constraint.
No, no worries about personal consumption. What the OdBL requires you to do is to add missing products. Not add data outside the scope of the original database.
(I'm a Open Food Facts admin)
Also please don't scrape us, since we release nightly dumps of the DB :)
Thanks for clarifying that. And that's great that those DB downloads are available. I didn't like the idea of scraping the data in the first place so never went that route.
Feel free to ping me at pierre openfoodfacts.org
We have a online discussion chat, if you want to integrate OFF at some point, and have questions about the OdBL
> The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.
If they're using bcrypt, then they're using salts since salts are built in to bcrypt.
I assume it's a bigger problem for females, because of the different way society perceives female or male sexuality.
E.g. I don't think i would really care about pics of my dick being made public, but plenty of women get routinely harrassed (often to the point of sexual assault or suicide) because of sexy selfies some idiot shared with friends.
No, but the auth token might have. Pretty sure facebook would have preemptively invalidated them all, but if not, you should login to your facebook account and unlink MyFitnessPal.
Maybe because I don’t typically work with authentication software? I feel like that’s not a hard conclusion to reach, don’t understand the incredulous response...
Would be interesting to know how they identified the breach. It is exactly these situations that I produced Breach Insider[0], in the hope to try and reduce the time to detection down from months to days.
Those of you affected by this breach, have you noticed any unusual spam/emails recently, that may be related to MFP? I’m wondering if they got the tip-off from their users.
