Fitness wear company Under Armour is notifying users of its MyFitnessPal app that it suffered a breach affecting about 150 million users some time in February.
Under Armour said in a press release on Thursday that an unauthorized party accessed data including usernames, email addresses and passwords. Most of the passwords, the company says, are protected using bcrypt, a one-way hashing function.
The breach did not expose personally identifiable information, such as Social Security numbers, which the company does not collect. Nor did it expose payment information, which Under Armour says it processes separately.
The Baltimore-based company says it learned of the incident on March 25 and began notifying users four days later through emails and in-app messaging. It is requiring that users change their passwords.
“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” the company said on an FAQ page.
Under Armour says its investigation is ongoing and that it does not know the identity of the hackers.
MyFitnessPal is a website and mobile app that lets users track and record fitness and nutrition data. Under Armour acquired the service for $475 million in 2015, when it had about 80 million users.