If you’re still using your old MyFitnessPal password to access other websites, now is the time to change and retire it. Almost a year after the diet and exercise website disclosed that it was breached, threat actors are selling the stolen credentials, which may include the usernames, passwords and email addresses of up to 150 million people, on the Dark Web.
In addition to MyFitnessPal, which is owned by athletic apparel manufacturer UnderArmour, credentials from 15 other hacked websites are also for sale, The Register reported. The sale price: around $20,000 in bitcoin. A MyFitnessPal spokesperson told Fortune that users were required to change their passwords after the breach was disclosed in March 2018, making any pilfered passwords useless on the site. While forcing all MyFitnessPal users to change their passwords protects their workout data and food diaries from threat actors, the exposed credentials could prove problematic for people who like to use the same password to log-in to multiple sites. Attackers, criminals and other nefarious types know that password reuse is common, despite security analysts warning about the dangers of this practice.
With data breaches occurring regularly, there’s a possibility that, eventually, a person’s credentials will end up in either the public domain or on the Dark Web. If threat actors have the username and password that a person uses to log-in to a MyFitnessPal account, they know there’s a chance that those credentials could provide them access to more valuable accounts, like a Gmail or bank account, for example.
Encryption may not completely protect passwords
The MyFitnessPal credentials were encrypted, but hashing doesn’t guarantee that the passwords are protected from attackers. Some hashing algorithms are more difficult to crack than others. UnderArmour said that while a majority of the passwords were encrypted with bcrypt, some were encrypted with SHA-1, which is considered unsafe for encrypting sensitive data. UnderArmour didn’t provide figures on how many passwords were encrypted with each algorithm.
Security researchers have already proven that SHA-1 can be decrypted and the U.S. National Institute of Standards and Technology has banned U.S. federal agencies from using the hashing algorithm since 2010. Bcrypt is a strong hashing function that’s more difficult – but not impossible – to crack. For example, security researcher Dean Pierce cracked 4,000 of the 36 million passwords that were leaked in the Ashley Madison breach and encrypted with bcrypt. While his efforts took five days and involved using servers designed to break encrypted passwords, eventually, some credentials were revealed.
In theory, a person could purchase the stolen UnderArmour credentials, decode the passwords that were encrypted with the weak SHA-1 algorithm and use the email addresses and cracked passwords to try to log-in to a person’s Gmail or Bank of America account, for example.
Mitigate password risks with biometrics
One way to reduce the risks associated with passwords is to replace them with biometric authentication using smartphones. People always have their smartphones on them and they’ve grown accustomed to using biometrics like fingerprints to unlock their devices and log-in to mobile apps.
Unlike passwords, biometrics can’t be shared with others and don’t require a person committing them to memory. While stories abound about researchers fooling Apple’s Face ID and the fingerprint sensors on various smartphones, biometric vendors have put liveness detection algorithms into their technology to defeat most of those attacks. Some vendors also use a distributed data model to store biometrics. This means that part of the biometric is stored on a person’s smartphone and the remainder is stored on an organization’s server. If attackers infiltrate the server and stole an employee’s biometrics, it would be useless without the portion stored on the person’s smartphone.
Meanwhile, the addition of behavioral biometrics to the authentication process should make fooling biometric technology even more challenging, he added. Behavioral biometrics are based on how people use their phones and include how a phone is held, swipe patterns and the pressure that’s used when typing.
Until what we are and have with us replaces what we know as the main method of authentication, remember to change and retire your old MyFitnessPal password if you’re still using it to access other accounts.