Myfitnesspal was a startup that offered Internet of Shit-based fitness and diet tracking; they were purchased by Under Armour for $475,000,000 in 2015; three years later, Under Armour has admitted that hackers stole the personal data of 150,000,000 Myfitnesspal users.
Internet of Things companies can’t be profitable — let alone a tempting acquisition target — through the sale of hardware; the margins are far too slim. By being maximally surveillant, IoT companies can amass deep dossiers of compromising personal information about hundreds of millions of users, something that big companies will pay hundreds of millions of dollars for.
Since IoT companies that don’t get acquired go under when their venture capitalists lose patience with them, every dollar they spend on information security is a dollar they can’t spend on keeping the lights on while they hope to get bought. Companies that go under face no liability for breaches, and companies that get acquired can fob off the consequences of breaches on their unlucky new owners. As a result, the Internet of Things security standard is a kind of “minimum viable security” — the thinnest membrane of security that prevents the product from detonating until the money runs out or someone else takes over.
The 150,000,000 user Myfitnesspal breach included usernames, emails and hashed passwords. Myfitnesspal has not revealed whether the hashed passwords also had per-user salts — a simple technique that makes it much, much harder to recover the cleartexts from a hashed password file.
The stolen data includes account user names, email addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement. Social Security numbers, driver license numbers and payment card data were not compromised, it said.It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.
Under Armour says 150 million MyFitnessPal accounts breached [Jim Finkle and Nivedita Balu/Reuters]