When Under Armour announced that its nutrition app MyFitnessPal had suffered a data breach impacting the information of roughly 150 million users, things actually didn't seem so bad. Of course, it's never good when personal data ends up online, much less that of so many people, but it seemed like Under Armour had at least taken reasonable precautions. But it turns out Under Armour only sort of got things right.
Given how many high-profile data breaches have caused significant damage over the years, it's critical for companies that hold sensitive data to build their systems in ways that limit the potential fallout. On that front, the Under Armor hack incident contains some (relatively) good news. The intrusion only exposed usernames, email addresses, and passwords, indicating that Under Armour's systems were at least segmented enough to protect the crown jewels—like birthdays, location information, or credit card numbers—from being scooped up. And the company says that the breach occurred in late February and was discovered on March 25, meaning it did a public disclosure in under a week. That's laudably fast; remember, Uber took over a year to fess up to its data-theft woes.
Under Armour also said that it had used the well-regarded password hashing function "bcrypt" to convert most of the passwords it stored into chaotic, unintelligible assortments of characters. When implemented properly, this cryptographic process makes it incredibly resource and time-consuming for attackers to attempt to "crack" the passwords and revert them to their useful form—after bcrypt hashing, a strong password can take decades to break, if not longer. As a result, even when hashed passwords leak they are still protected.
Here's where things get hairy, though. While Under Armour says it protected "the majority" of the passwords with bcrypt, the remainder weren't nearly so lucky. Instead, in a Q&A site about the breach, Under Armour admitted that some proportion of the exposed passwords were only hashed using a notoriously weak function called SHA-1, which has had known flaws for a decade and was further discredited by research findings last year. "The MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function," Under Armour wrote in the Q&A.
"Bcrypt is designed to be extremely slow and SHA-1 is designed to be extremely fast," says Kenneth White, director of the Open Crypto Audit Project. SHA-1 requires less computing resources devoted to implementing and managing a hashing scheme, making it an appealing option—especially if you don't understand the tradeoff you're making. "The vast majority of developers [just] think they're both types of hashes."
The speed hit is well worth it from a security standpoint, though. Bcrypt imparts layers of defense by running data through its hashing function thousands of times to make the process more difficult to reverse. And its functions themselves are designed to need specific computing resources to run, making it harder for an attacker to simply throw a lot of processing power at the reversing problem. Bcrypt isn't uncrackable, and weak passwords in particular (like "password123") can still be guessed quickly by bad actors. But hashing strong passwords with bcrypt at least buys companies time to discover an invasion and reset everyone's password. Passwords hashed with SHA-1 are much more vulnerable.
After years of damaging data breaches, though, companies still haven't learned these lessons. Many have even made this specific mistake. The memorable breach of the hookup site Ashley Madison, for example, exposed 36 million passwords hashed with bcrypt, and another 15 million that were incorrectly hashed and therefore vulnerable to quick cracking. It's one thing to endanger passwords because you don't know which hash function to use; it's another to know the better option exists, but fail to implement it consistently.
So how do these mistakes happen? Under Armour hasn't provided any additional information about what transpired with its breach; the company says it is working with security firms and law enforcement to investigate. Matthew Green, a cryptographer at Johns Hopkins University, speculates that it could be the result of keeping too much IT work in-house rather than seeking out more specialized practitioners.
"It means you get some amateur hour stuff," Green says. "My suspicion is that they upgraded from something terrible, SHA-1, to something less terrible, bcrypt, but had to keep the old data around for customers who hadn’t logged in recently" as part of the transition between the two hashing schemes.
Whatever the specific reasons behind Under Armour's failings, companies need to vet and audit their security protections to discover flaws and mistakes before bad actors do. Otherwise, big data breaches won't just continue—they'll be more damaging than they have to be.
- If nothing else, Under Armour did better than Uber. Which is a low bar, but still
- Anyone using SHA-1 really should know better by now
- Under Armour joins Ashley Madison in getting it sort of right, but also lots of wrong
