MyFitnessPal Data Breach
MyFitnessPal Fitness Tracking App Breach (2018): 150 Million User Accounts Including Passwords Exposed
Fitness tracking app.
Risk Interpretation
Credential reuse risk plus sensitive lifestyle profiling. Health-related data can be used for targeted scams or personal profiling.
Impact & Downstream Threats
The 2018 breach was one of the largest consumer health-app credential exposures ever disclosed. Under Armour said an unauthorized party acquired MyFitnessPal account data in February 2018, and HIBP says the incident exposed 144 million unique email addresses along with usernames, IP addresses, and passwords stored as SHA-1 or bcrypt hashes; MyFitnessPal later said it forced password resets and disabled the old passwords. That made the breach highly useful for credential stuffing, password cracki
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
MyFitnessPal, owned by Under Armour at the time, suffered a data breach in February 2018 when an unauthorized party gained access to user account data. The breach exposed records tied to approximately 150 million users. The attack vector was a misconfiguration, meaning a security flaw in how the system was set up allowed direct access to the data rather than requiring a sophisticated external hack. The stolen data later appeared for sale on a dark web marketplace in 2019 and began circulating more broadly from there. The breach exposed email addresses, usernames, IP addresses, and passwords. Passwords for older accounts were stored using SHA-1 hashing, a weaker method that makes cracking them more feasible. Newer accounts used bcrypt, a stronger standard. Because MyFitnessPal tracks eating habits, exercise routines, and behavioral patterns over time, the exposed data goes beyond basic credentials. Affected users faced a layered risk: account takeover through credential stuffing, targeted phishing using health and lifestyle context, and personal profiling tied to their fitness and nutrition histories. Under Armour disclosed the breach publicly and said MyFitnessPal forced password resets and disabled the compromised passwords. No significant regulatory action was publicly reported following the disclosure. For affected users, the practical risk remains elevated years later. Stolen credentials from this breach have circulated widely, meaning anyone who reused their MyFitnessPal password on other accounts should treat those accounts as potentially compromised.
About MyFitnessPal
MyFitnessPal is a consumer health and fitness platform built around calorie tracking, nutrition logging, exercise monitoring, and behavior-change support. It operates as a large-scale wellness app that turns daily eating and activity habits into structured personal data, making it part health tool, part long-term behavioral record system.
Why They Hold Your Data
Health and fitness applications collect user accounts, emails, passwords, and behavioral data related to diet, exercise, and health routines.
Recent Developments
MyFitnessPal remains an active standalone consumer health product with a steady release cadence and visible product expansion in 2025 and 2026. Recent official updates highlight new nutrition-tracking features, recipe planning, photo-upload logging, sleep-related features, and GLP-1 support, which shows the platform continuing to deepen its role in day-to-day health management rather than remaining a static legacy app.
Data Points Exposed
Canonical Fields
email_address, ip_address, password, username
Dark Web Verification
- Dataset containing ~150.6M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: myfitnesspal.com-2018;MyFitnessPal Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of MyFitnessPal
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam