Is MyFitnessPal Safe to Use After the Data Breach?

The direct answer: MyFitnessPal is safer now than it was in 2018, but significant privacy concerns remain. The 2018 breach that exposed 150 million user accounts was one of the largest in internet history. MFP has since changed ownership, updated its security infrastructure, and improved authentication options. However, the app still collects extensive user data for advertising purposes, and for an app that stores your health information — what you eat, how much you weigh, your health goals — the privacy model deserves scrutiny.

Here is an honest look at what happened, what changed, and what you should consider before trusting MFP with your health data in 2026.

What Exactly Happened in the MyFitnessPal Data Breach?

In March 2018, Under Armour (which owned MyFitnessPal at the time) disclosed that an unauthorized party had accessed MFP's user data in February 2018. The breach affected approximately 150 million user accounts, making it one of the top 10 largest data breaches ever recorded.

What Data Was Exposed?

The compromised data included:

• Usernames — every account's display name
• Email addresses — 150 million email addresses leaked
• Hashed passwords — the passwords were hashed, but using a mix of bcrypt and SHA-1. The SHA-1 hashed passwords were significantly easier to crack
• IP addresses — user location data derived from login records

What was reportedly not compromised:

• Payment card data (processed by a separate system)
• Social Security numbers or government IDs (not collected)
• Detailed food diary data (though this is less certain)

The SHA-1 Problem

A critical detail that many people missed: while Under Armour stated that passwords were hashed, a portion used SHA-1 hashing rather than the more secure bcrypt. SHA-1 is considered cryptographically weak and can be brute-forced with modern hardware. This meant that millions of user passwords were effectively recoverable by the attackers, not just the hashed versions.

The breach data eventually appeared on dark web marketplaces. In 2019, the full dataset was offered for sale as part of a larger collection of breached databases.

What Has Changed Since the Breach?

Several significant changes have occurred since 2018.

Ownership Change

In 2020, Under Armour sold MyFitnessPal to Francisco Partners, a private equity firm, for approximately $345 million — a significant loss from the $475 million Under Armour paid in 2015. The new ownership brought new management and, presumably, new security priorities.

Infrastructure Updates

MFP has updated its security infrastructure since the breach. Specific improvements include:

• Mandatory password resets — all users were required to change passwords after the breach
• Improved hashing — passwords are now stored using modern hashing algorithms
• Two-factor authentication — MFP added optional 2FA support
• Updated encryption — data in transit and at rest uses current encryption standards

Legal Settlements

Under Armour settled a class-action lawsuit related to the breach. The settlement included monetary compensation for affected users and commitments to improved security practices. The SEC also investigated the timing of the breach disclosure.

What Privacy Concerns Remain in 2026?

Improved security does not equal improved privacy. These are two different issues, and the privacy side is where MFP still raises concerns.

Extensive Data Collection for Advertising

MFP's free tier is ad-supported, and the advertising model requires collecting and sharing user data with ad networks and partners. The data MFP collects includes:

• Everything you eat — your complete food diary, meal times, and eating patterns
• Your body metrics — weight, height, body measurements, goal weight
• Your health goals — weight loss, muscle gain, maintenance targets
• Your exercise data — workouts, activity levels, fitness integrations
• Your device data — device type, OS, location data, usage patterns
• Your behavioral data — what features you use, when you open the app, how long you spend

This data creates an extraordinarily detailed health profile. When combined with advertising partner data, it enables highly targeted ad delivery — and means your health information is shared with third-party companies whose data practices you have no control over.

Health Data Is Uniquely Sensitive

There is a reason health data receives special legal protection in frameworks like HIPAA and GDPR. Your nutrition and body composition data reveals:

• Medical conditions (tracked through dietary restrictions)
• Mental health indicators (eating patterns correlate with mood disorders)
• Pregnancy (dietary changes are a strong signal)
• Athletic status and physical capabilities
• Socioeconomic indicators (food choices correlate with income)

When this data is collected for advertising, it can be used in ways most users never anticipated. An ad network knowing you are tracking a 1,200-calorie diet, logging prenatal vitamins, or restricting sodium tells advertisers things about your life that go well beyond simple food preferences.

The Ad-Funded Health App Paradox

There is a fundamental tension in any health app that relies on advertising revenue. The app needs you to use it frequently (to serve more ads), needs your data to be detailed (to target ads effectively), and needs to share that data with third parties (to fulfill ad contracts). Your health data becomes the product, not a protected asset.

This does not mean MFP is doing anything illegal. It means the business model creates incentives that are misaligned with your privacy interests, especially when the data involved is health-related.

How Does MyFitnessPal Compare on Privacy?

MyFitnessPal Privacy Practices

• Ad-supported free tier requiring extensive data sharing with ad networks
• Optional premium ($19.99/month) removes ads but privacy policy still permits data collection
• Data shared with Francisco Partners portfolio companies and partners
• History of one of the largest data breaches in internet history
• Two-factor authentication available but not required

Privacy-Focused Alternatives

Not all nutrition trackers use the same data model. Apps that charge a subscription from the start typically collect less data because they do not need to monetize your information through advertising.

Health App Privacy Comparison

Privacy Factor	MFP Free	MFP Premium	Nutrola	Cronometer
Ad tracking	Yes	Reduced	None	Some (free)
Third-party data sharing	Extensive	Moderate	Minimal	Moderate
Health data used for ads	Yes	Limited	No	Limited
Two-factor authentication	Optional	Optional	Yes	Optional
Data breach history	Yes (150M)	Yes (150M)	None	None
Zero-ads model	No	Yes	Yes (all tiers)	Paid tier only
GDPR compliant	Yes	Yes	Yes	Yes
Data export available	Yes	Yes	Yes	Yes
Data deletion on request	Yes	Yes	Yes	Yes

How to Protect Yourself If You Use MyFitnessPal

If you choose to continue using MFP, these steps will reduce your risk.

Immediate Security Steps

1. Enable two-factor authentication — this is the single most effective protection against unauthorized account access
2. Use a unique password — never reuse your MFP password on any other service. Use a password manager to generate a strong, unique password
3. Check your email on Have I Been Pwned — visit haveibeenpwned.com to see if your email was in the breach dataset
4. Review connected apps — revoke access for any fitness or health apps you no longer use that are connected to your MFP account

Privacy Steps

1. Review your privacy settings — MFP has privacy controls buried in settings. Set your diary to private, limit data sharing where possible
2. Consider what you log — be aware that everything you enter into MFP becomes part of your data profile
3. Use premium if you stay — the paid tier at least removes ad-based tracking, though the privacy policy still allows data collection
4. Read the current privacy policy — understand exactly what MFP collects and who they share it with

Should You Switch to a Privacy-Focused Alternative?

If privacy is a genuine concern for you — and when it comes to health data, it should be — the simplest solution is to use an app whose business model does not depend on your data.

Nutrola: Zero Ads on Every Tier

Nutrola operates on a straightforward subscription model: a FREE TRIAL with all features, then €2.50/month. There are zero ads on any tier, which means there is no advertising infrastructure collecting and sharing your data. The business model is simple — you pay for the app, and the app works for you, not for advertisers.

Beyond the privacy advantage, Nutrola offers AI photo and voice logging, barcode scanning, a 1.8M+ nutritionist-verified food database tracking 100+ nutrients, Apple Watch and Wear OS support, recipe import from any URL, and availability in 15 languages. With over 2 million users and a 4.9-star rating, it delivers more functionality than MFP at a fraction of the price — without the privacy trade-offs.

When the Price Is Your Data

The comparison is worth stating plainly. MFP's free tier costs you nothing financially but collects and monetizes your health data through advertising. MFP Premium costs $19.99/month and reduces but does not eliminate data collection. Nutrola costs €2.50/month after a free trial and does not collect data for advertising at all.

The "free" tier of any ad-supported app is never actually free. You are paying with your data. When that data describes your health, eating habits, body composition, and wellness goals, the price is higher than most people realize.

Frequently Asked Questions

Was my data definitely compromised in the MyFitnessPal breach?

If you had a MyFitnessPal account before February 2018, your account data was likely part of the breach. The breach affected approximately 150 million accounts, which was essentially the entire user base at the time. Check haveibeenpwned.com with your email address for confirmation.

Can I delete my MyFitnessPal account and data permanently?

Yes. MFP allows account deletion through the app settings or by contacting support. Under GDPR and similar privacy laws, they are required to delete your data upon request. Be aware that this is permanent and your historical data cannot be recovered.

Has MyFitnessPal been breached again since 2018?

There have been no publicly disclosed breaches of MyFitnessPal since the 2018 incident. However, the security landscape constantly evolves, and past breach history is a statistical risk factor for future incidents according to cybersecurity research.

Does MyFitnessPal sell my data?

MFP's privacy policy describes sharing data with "partners" for advertising and analytics purposes. Whether this constitutes "selling" depends on legal definitions that vary by jurisdiction. Under the California Consumer Privacy Act (CCPA), sharing data for targeted advertising can be classified as a "sale" of personal information.

Is MyFitnessPal HIPAA compliant?

No. MyFitnessPal is not a HIPAA-covered entity because it is a consumer wellness app, not a healthcare provider or health plan. HIPAA does not apply to most consumer health and fitness apps, which means your MFP data does not receive HIPAA protections regardless of how sensitive it is.

Should I change my password if I used MyFitnessPal in 2018?

If you have not changed your MFP password since before March 2018, change it immediately. More importantly, if you used the same password on any other service, change those passwords as well. The breach data has been widely circulated and password reuse is the primary way breached credentials lead to additional compromises.

The Bottom Line on MyFitnessPal Safety

MyFitnessPal is technically safer than it was in 2018. The security infrastructure has been updated, 2FA is available, and the ownership has changed. But "safer than 2018" is a low bar, and the fundamental privacy concern — an ad-funded business model that monetizes your health data — has not changed.

Your nutrition data is health data. It reveals intimate details about your life, your body, and your health conditions. The question is not just whether MFP can prevent another breach (it has improved there), but whether you are comfortable with how your data is collected, used, and shared in the normal course of business.

If the answer is no, there are alternatives that respect your privacy by design. Start a FREE TRIAL with Nutrola to experience nutrition tracking where zero ads means zero ad-driven data collection — just accurate tracking with a verified database, AI logging, and 100+ nutrients at €2.50/month.