Why Did MyFitnessPal Get Hacked? The 150 Million Account Breach Explained

In February 2018, someone broke into MyFitnessPal's systems and stole the account data of approximately 150 million users. Usernames, email addresses, and hashed passwords -- all compromised. At the time, it was one of the ten largest data breaches in history. The company did not discover the breach until March 2018, meaning the attackers had access to user data for roughly a month before anyone noticed.

If you used MyFitnessPal before March 2018, your data was almost certainly part of this breach. And if you are still wondering why a calorie tracking app became the target of one of the biggest hacks ever recorded, the answer reveals some uncomfortable truths about how health and fitness apps handle your data.

This article explains exactly what happened, what data was exposed, what was not, whether MyFitnessPal is safe to use today, and why health data privacy should be a deciding factor in which nutrition app you trust.

What Happened in the MyFitnessPal Data Breach?

Here is the timeline of events as they unfolded:

The Breach: February 2018

In late February 2018, an unauthorized party gained access to MyFitnessPal's user account data. The exact method of intrusion was never fully disclosed to the public. What is known is that the attacker was able to extract a massive dataset containing account information for approximately 150 million users.

At the time, MyFitnessPal was owned by Under Armour, which had acquired the app in 2015 for $475 million. Under Armour was responsible for the security of MyFitnessPal's infrastructure.

Discovery: March 25, 2018

MyFitnessPal's security team identified the breach on March 25, 2018 -- roughly four weeks after the intrusion occurred. A four-week gap between breach and detection is not unusual for data breaches of this scale, but it means the attacker had weeks of undetected access to user data.

Public Disclosure: March 29, 2018

Under Armour publicly disclosed the breach on March 29, 2018, just four days after discovering it. The company notified affected users via email and in-app messages, requiring password resets for all accounts.

The Aftermath

Under Armour's stock dropped approximately 3.8% in the days following the disclosure. The breach contributed to growing concerns about Under Armour's digital fitness strategy and the costs of maintaining a massive user database. Two years later, Under Armour would sell MyFitnessPal to Francisco Partners for $345 million -- $130 million less than the original purchase price.

What Data Was Exposed in the MyFitnessPal Hack?

Understanding exactly what was compromised -- and what was not -- is important for assessing the risk.

Data That Was Compromised

• Usernames. The account names used to log into MyFitnessPal.
• Email addresses. The email addresses associated with each account.
• Hashed passwords. The passwords were not stored in plain text. They were hashed using bcrypt, a strong hashing algorithm. However, some passwords were hashed with SHA-1, a weaker algorithm that is more vulnerable to cracking.

Data That Was Not Compromised (According to Under Armour)

• Payment information. Under Armour stated that payment card data was not affected because it was collected and processed separately.
• Government-issued identifiers. Social Security numbers, driver's license numbers, and similar identifiers were not stored by MyFitnessPal and therefore were not exposed.
• Detailed health data. Under Armour stated that the breach involved account credentials, not the food diary data, weight logs, or nutritional information stored within the app.

Why This Matters Even If "Just" Emails and Passwords Were Exposed

It is tempting to dismiss the breach as "just" usernames and passwords. But the real-world impact of this kind of data exposure is significant:

• Credential stuffing attacks. Many people reuse passwords across multiple services. Attackers who cracked the hashed passwords could use them to access other accounts -- email, banking, social media, shopping -- where the same email and password combination was used.
• Phishing campaigns. With 150 million email addresses confirmed to be associated with a health and fitness app, attackers had a targeted list for phishing emails related to health, fitness, supplements, and dieting. These emails could be highly convincing because the attacker knew the recipient used a calorie tracking app.
• Data sold on the dark web. The stolen MyFitnessPal data appeared on dark web marketplaces. In 2019, a collection of breached databases including MyFitnessPal data was offered for sale for approximately $20,000 in cryptocurrency.

Why Was MyFitnessPal a Target?

A calorie tracking app might seem like an unusual target for hackers compared to banks or retailers. But there are specific reasons MyFitnessPal was attractive to attackers.

The Scale of the User Base

With over 150 million accounts at the time, MyFitnessPal had one of the largest user databases of any consumer app. For attackers focused on credential theft, the sheer volume of email and password combinations made it a high-value target regardless of what the app itself did.

Health Data Has Unique Value

Health and fitness data is increasingly valuable in the data economy. Information about what people eat, how much they weigh, their fitness goals, and their dietary patterns can be used for targeted advertising, insurance profiling, and social engineering. While Under Armour stated that food diary data was not compromised in the 2018 breach, the mere existence of a massive health data repository makes the platform a target.

Security Was Not the Priority

Under Armour was a sportswear company, not a technology or security company. When it acquired MyFitnessPal in 2015, the focus was on growing the user base and integrating the app with Under Armour's fitness ecosystem. Security infrastructure investment was not the driving priority.

The use of SHA-1 hashing for some passwords is a telling detail. SHA-1 had been considered cryptographically weak for years before the 2018 breach. Best practices called for bcrypt or similar strong hashing algorithms. The fact that some MyFitnessPal passwords were still hashed with SHA-1 suggests that security upgrades were not being prioritized.

Has MyFitnessPal's Security Improved Since the Breach?

This is the question that current and potential users most need answered. The short answer: MyFitnessPal has made improvements, but the app's ownership history and business model raise ongoing questions.

What Changed After the Breach

Following the 2018 breach, MyFitnessPal implemented several security improvements:

• Mandatory password resets for all affected accounts
• Enhanced monitoring for unauthorized access
• Migration to stronger hashing algorithms for passwords
• Two-factor authentication was eventually added as an option

What Has Not Changed

Despite these improvements, several structural concerns remain:

• No end-to-end encryption for health data. MyFitnessPal stores food diary data, weight logs, and nutritional information on its servers. This data is not end-to-end encrypted, meaning the company (and any attacker who gains server access) can read it.
• A new owner with different priorities. Francisco Partners, the private equity firm that acquired MyFitnessPal in 2020, is focused on revenue generation. Security investment competes with other priorities in this model.
• Advertising-driven data collection. The free tier of MyFitnessPal is supported by advertising. Advertising-supported apps inherently collect more user data to serve targeted ads. More data collection means a larger attack surface and more data at risk in a potential breach.
• No public security audits. MyFitnessPal does not publish independent security audit results. Users have to trust the company's claims about security improvements without third-party verification.

Why Does Health Data Privacy Matter?

If you track what you eat, how much you weigh, your body measurements, your fitness goals, and your dietary patterns in an app, you are creating a detailed health profile. This data is more sensitive than many people realize.

Health Data Is Uniquely Personal

Your food diary reveals far more than calorie counts. It reveals medical conditions (tracking food for diabetes management or kidney disease), mental health patterns (binge eating, restriction, emotional eating), reproductive status (pregnancy-related dietary changes), religious practices (fasting patterns), socioeconomic information (food choices reflect income level), and more.

This is not data you want exposed in a breach, sold to data brokers, or used for insurance profiling.

Health Data Privacy Is a Growing Legal Concern

Regulations around health data privacy are tightening globally. The EU's GDPR provides strong protections for health-related data. In the United States, HIPAA protects medical records but does not cover data voluntarily entered into consumer apps like MyFitnessPal. This creates a gap where highly sensitive health information has fewer legal protections than your medical chart.

The Business Model Matters

How a company makes money directly affects how it handles your data. Apps that rely on advertising revenue have a financial incentive to collect as much user data as possible and share it with advertising partners. Apps that rely on subscriptions have a financial incentive to protect user data because their revenue comes from user trust, not data monetization.

This distinction is critical when choosing a health app.

How to Evaluate a Nutrition App's Data Security

If the MyFitnessPal breach made you think twice about where you store your health data, here is what to look for when evaluating alternatives:

Key Security and Privacy Questions

Factor	What to Look For	Red Flag
Business model	Subscription-based, no ads	Ad-supported free tier with data sharing
Data encryption	End-to-end encryption for health data	No encryption or server-side only
Privacy policy	Clear, specific, easy to read	Vague language about "partners" and "third parties"
Data deletion	Easy to delete all your data permanently	No clear deletion process
Third-party sharing	Minimal or no third-party data sharing	Data shared with advertisers or brokers
Security audits	Regular independent security audits	No public audit information
Breach history	Clean record or transparent about past incidents	History of breaches with poor disclosure
Data location	Servers in jurisdictions with strong privacy laws	No information about data location

How Nutrola Approaches Data Privacy

Nutrola is built on a subscription model starting at €2.50 per month with zero ads on every pricing tier. This is a fundamental difference from ad-supported apps like MyFitnessPal's free tier. When there are no ads, there is no incentive to collect user data for advertising purposes. Your food diary, weight logs, and nutritional data exist to serve you, not to profile you for advertisers.

Nutrola does not sell user data to third parties. The app's revenue comes entirely from subscriptions, which means the business model is aligned with user privacy rather than opposed to it. When a company makes money by keeping users happy and trusting, it has every reason to protect their data. When a company makes money by monetizing user data through advertising, the incentives point in the opposite direction.

Comparison: MyFitnessPal vs Nutrola on Privacy and Features

Factor	MyFitnessPal	Nutrola
Major data breach history	Yes (150M accounts, 2018)	No
Ad-supported free tier	Yes (heavy ads)	No (zero ads on all tiers)
Revenue model	Subscriptions + advertising	Subscriptions only
Price	Free (limited) / $79.99 per year	From €2.50 per month
Nutrients tracked	~6 reliably	100+
Food database	14M+ crowdsourced entries	1.8M+ verified entries
AI photo logging	No	Yes
Voice logging	No	Yes
Barcode scanning	Premium only	Yes (all users)
Apple Watch + Wear OS	Basic Apple Watch only	Both supported
Recipe import	Yes	Yes (with full nutritional breakdown)
Languages supported	20+	9

What Should You Do If Your Data Was in the MyFitnessPal Breach?

If you had a MyFitnessPal account before March 2018, your data was likely compromised. Here is what you should do if you have not already:

1. Change your MyFitnessPal password if you have not done so since the breach. Use a strong, unique password.
2. Change passwords on any other service where you used the same email and password combination as your MyFitnessPal account. This is the most important step for preventing credential stuffing attacks.
3. Enable two-factor authentication on MyFitnessPal and every other service that supports it.
4. Use a password manager to generate and store unique passwords for every service. This ensures that a breach of one service does not compromise your other accounts.
5. Check haveibeenpwned.com to see if your email address appeared in the MyFitnessPal breach or any other known data breach.
6. Be skeptical of unsolicited emails related to fitness, dieting, supplements, or health apps. Your email address is in the hands of attackers who know you are interested in nutrition tracking.

Frequently Asked Questions

When was MyFitnessPal hacked?

MyFitnessPal was hacked in February 2018. The breach was discovered on March 25, 2018, and publicly disclosed on March 29, 2018. Approximately 150 million user accounts were compromised, making it one of the largest data breaches in history at the time. MyFitnessPal was owned by Under Armour during the breach.

What data was stolen in the MyFitnessPal hack?

The breach exposed usernames, email addresses, and hashed passwords for approximately 150 million accounts. Some passwords were hashed with bcrypt (a strong algorithm) while others used SHA-1 (a weaker algorithm). Under Armour stated that payment information and detailed health data (food diaries, weight logs) were not compromised.

Is MyFitnessPal safe to use in 2026?

MyFitnessPal implemented security improvements after the 2018 breach, including stronger password hashing and optional two-factor authentication. However, the app is now owned by a private equity firm, relies on advertising revenue from the free tier (which incentivizes data collection), and does not publish independent security audit results. Whether you consider it "safe" depends on your personal risk tolerance and how sensitive you consider your nutrition data.

Has MyFitnessPal been hacked more than once?

The 2018 breach is the only publicly confirmed major data breach affecting MyFitnessPal. However, the compromised data from the 2018 breach was subsequently sold on dark web marketplaces and appeared in credential dump collections that circulated for years after the original incident.

How do I know if my MyFitnessPal data was in the breach?

If you had a MyFitnessPal account before March 2018, your data was almost certainly affected -- the breach compromised roughly 150 million of the approximately 150 million accounts that existed at the time. You can check haveibeenpwned.com to confirm whether your email address appeared in the breach. MyFitnessPal also sent email notifications to affected users and required password resets.

Which calorie tracker is the most private and secure?

Look for apps with subscription-based business models and no advertising, as these have less incentive to collect and monetize user data. Nutrola operates on a subscription model starting at €2.50 per month with zero ads on any tier, meaning there is no advertising-driven data collection. The app does not sell user data to third parties. Beyond privacy, Nutrola offers AI-powered food logging (photo, voice, barcode), tracks over 100 nutrients from a verified database of 1.8 million foods, and supports Apple Watch, Wear OS, and nine languages.