Under Armour is urging users of MyFitnessPal, the company's food-and-nutrition app and website, to immediately change their passwords in the wake of a data breach that compromised the information of about 150 million users.
The Baltimore, Maryland, based company, best known for its athletic wear, says it learned earlier this week that someone had stolen data-including usernames, email addresses and hashed, or scrambled, passwords-associated with MyFitnessPal user accounts.
Recommended Videos
Under Armour says in a published statement that it began notifying users within days of learning of the theft.
It says it will be requiring users to change their passwords and is encouraging them to do so immediately. In the meantime, the company says, it is "working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities."
Under Armour says that most of the stolen passwords were secured with a form of encryption, and that credit card information wasn't affected.
Email addresses are worth money to cyber criminals for use in phishing schemes, which are an increasing threat thanks to an endless supply of personal details that can be mined from social media and woven into emails to make them more believable.
And, while you might not care if a hacker is able to access your MyFitnessPal account, that password will be the first one they use when trying to access your more valuable accounts, such as those used for banking.
Cybersecurity experts say the first thing to do when a big breach like this occurs is change your password for the affected account, along with any other accounts where you were using the same password.
Even if you don't have a MyFitnessPal account, this data breach should serve as a reminder to check that you aren't doubling up your passwords (we know it's easier, but it's not a good idea)-and to make sure all your passwords are good ones.
Research shows that people could use some reminding. Eighty-one percent of last year's data breaches involved stolen or weak passwords, according to the Verizon 2017 Data Breach Investigations Report.
Here are some tips for creating strong passwords and keeping your online accounts safe.
Go Long and Complicated
While "Password123" may be easy to remember, it's a disaster when it comes to security. Hackers like to go for the low-hanging fruit and try the obvious options first.
Ideally, a password should be composed of a long string (think at least a dozen characters) of seemingly random upper- and lower-case letters, numbers and symbols. One of the best and easiest things to do is to create a long password out of an easy-to-remember phrase, then throw in some special characters.
For example: "Th3Qu1ckBr0wnF0xJump$0verTh3LazyD0g"-though it would be better to use a phrase that you make up yourself.
Don't include your name, birthday or references to any other personal details (yes, that means your kids' personal details, too). Hackers routinely troll Facebook and Twitter for clues to passwords like those.
This same logic applies to smart home devices such as webcams, TVs, toys and even some high-end refrigerators. Many come with default passwords that should be changed the moment you take the product out of the box. There's no easier password to hack than one you can find in a manual or online.
And don't forget about your router. According to research done by Symantec, one of the world's largest cybersecurity companies, 37 percent of people haven't changed their router's default password.
Don't Recycle
Even a tech minimalist has countless passwords these days for everything from bank accounts to Pinterest. That's a lot to remember, but don't follow the temptation to use the same password for multiple accounts or to recycle an old favorite.
After all, isn't the first time something like this has happened. More than 1 billion passwords were stolen from Yahoo in a handful of breaches over the past several years. You wouldn't want that same password to be tied to your credit and bank accounts as well. Hackers routinely test passwords stolen in mega breaches on financial accounts.
If the thought of remembering so many complicated passwords is intimidating, think about using a password manager. The services create and remember top-of-the-line passwords for you and they'll also make sure the site you think belongs to your bank actually does, before you hand over your credentials.
Fair warning, password manager companies have been hacked in the past, but that doesn't mean user passwords were actually acquired by the bad guys. Overall, many cybersecurity experts say they're the lesser of many evils.
Always Use Multifactor
Multi-factor authentication-which asks users to enter a second form of identification, such as a code texted to a smartphone or a biometric identifier like a thumb print-has become a must.
What multifactor authentication does is make it a lot harder for hackers to access your account, even if they have the password. Its use is standard practice in business, and services including Google, Facebook, and online banking sites offer it as an option, but you often have to turn it on. Yes, this will slow you down a bit, but frequently, it's enough to make hackers look for another target.
Embrace Change
Did you just toss your toothbrush? Maybe it's time to change your passwords, too.
The longer a password hangs around, the more likely that it's been stolen or deciphered by a hacker. And, if a company, such as Under Armour, announces that it's been hacked and credentials have been stolen, change your password right away, even if it appears your account wasn't affected. It often takes time for those investigating a hack to determine exactly how bad the fallout is, and breaches are often worse than they first appear.
On a related note, it's also wise to periodically clean out your digital closets, just like the physical ones in your home. Have an AOL email account you don't use anymore? A Myspace account? Close them out so you don't have to worry about them getting hacked.
Don't Be Too Social
Be careful what you share and who you share it with.
This lesson was driven home by the recent revelation that about 50 million Facebook users had their profile information and "likes" harvested-without permission-by a third-party quiz app.
If you're going to post personal details about yourself (or your family), make sure your accounts are locked down and change your privacy settings to restrict your posts to real-life "friends." Consumer Reports shared tips for protecting your kids' personal information in a previous story, but here's the short version: The entire world doesn't need to know where they go to school and when they celebrate their birthdays.
And keep in mind that even if you think you have your account locked down, nothing shared on social media is ever truly private. So, think before you trade your privacy to play a Facebook game or take part in a what looks like a harmless quiz.