Data Breach heatherwalsh77 — Mar 30, 2018 02:52AM PDT
Why did it take FOUR DAYS for you to inform your users that their personal data had been stolen?!
2 Community Answers
nmgyrl Mar 30, 2018 10:57AM PDT
As an end user with 30 years' experience in computer security, I have to say I'm impressed it *only* took four days for notification to go out. In a hacking situation, you have to figure out the extent of the breach and what might have been stolen, before you can provide any sensible information and instructions to the users affected. In addition, it's important to figure out *how* it happened so you can close the hole ASAP and stop further leaks. Most companies take far longer than a few days, even when the potential damage from compromised data is much higher than in this case.
I'm also impressed that Under Armour is using bcrypt for hashed passwords instead of the old standard of salted SHA-256. Translation: since the passwords themselves were not obtained, this means that unless you've used a dumb password (Google to see examples), the hackers will have a lot more trouble cracking it - which in turn means it probably hasn't happened yet (and it's compute-intensive enough they may not even bother trying beyond the dumb list).
If I were you, after changing your MFP password, I'd take a careful look at the security of the email account you use for this site. After plucking the low-hanging fruit, that's where the best chance of payoff is for the hackers.
nmgyrl Mar 30, 2018 11:46AM PDT
For Under Armour/MFP. Here's one potential way to improve security further: when key data such as an account password or email address is changed, send the user an email about it in case they didn't make the change. I changed my password over an hour ago and haven't seen one.