On Friday, February 8, 2019 we became aware of a potential data breach involving 8fit user data. Upon further investigation, we confirm that some 8fit user data was affected.
The data breach occurred in July, 2018.
What information was affected?
Based on what we have learned, the affected information includes email addresses, and bcrypt hashed passwords. Hashing is a security protocol that keeps passwords secure. In some cases, gender and IP address information along with expired facebook authentication tokens and profile thumbnail images were also affected.
What did 8fit do when it found out about the breach?
As soon as we became aware of the potential incident, we began investigating the legitimacy and severity of the vulnerability. We have been working with security firms to determine the nature of the breach and continue to secure our systems to prevent future attacks. We have also notified and are coordinating with law enforcement authorities and reaching out to all customers to provide information on the incident as well as guidance on how they can protect their data.
Does this mean my credit card details are now available online? How about my updates and emails with my 8fit coach? How about my social security number?
No payment information whatsoever was obtained. We do not collect social security numbers so these were also not obtained. Conversations and communication between 8fit users and coaches were not captured.
If my data was compromised, could my identity be at risk?
We are encouraging all users to update their 8fit account password as well as for any other account on which a same or similar password is used.
We also advise users to be cautious of any unsolicited communication that asks for personally identifiable information and to forgo downloading attachments from suspicious looking emails.
How many people were impacted? How do I know if I was affected?
Approximately 20 million 8fit user details were affected. In the interest of transparency, we are notifying all 8fit users of the incident via email.
What are you doing about this going forward to prevent a similar incident from happening again?
We have launched a comprehensive review of all of our systems and are taking necessary precautions to ensure all vulnerabilities have been identified and secured.
We are continuing to upgrade our network infrastructure and making modifications to our our internal software development processes.
We are working with several of the leading data security firms in the world to fortify our systems and further secure all of our online properties.
How can I update my password?
You can change your password here
How can I delete my account or any data you have on me?
If you want to delete your 8fit account, open the 8fit app and visit Settings > Account > Delete My Account
Unfortunately, deleting your 8fit account will not prevent your user information from being compromised in the event that is has already been compromised.
I didn’t know I had an 8fit account - how is it that my user information was compromised?
You probably signed up for an 8fit account some time ago, and while you perhaps have not been an active user in recent months, your account remained. As such, some account information may have been compromised.
Does 8fit know who is responsible?
No, but we are working with law enforcement in effort to identify the attacker.
If I have additional questions, who can I contact?
Any additional questions, please reach out to firstname.lastname@example.org.