TORONTO • Under Armour has said that data from some 150 million MyFitnessPal diet and fitness app accounts was compromised last month, in one of the biggest hacks in history, sending shares of the athletic apparel-maker down 3 per cent in after-hours trade.

The stolen data includes account user names, e-mail addresses and scrambled passwords for the popular MyFitnessPal mobile app and website, Under Armour said in a statement on Thursday.

Social Security numbers, driver licence numbers and payment card data were not compromised, it said. It is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard.

Larger hacks include three billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by California-based FriendFinder Networks in 2016, according to breach notification website LeakedSource.com Under Armour said it is working with data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.

While the breach did not include financial data, large troves of stolen e-mail addresses can be valuable to cyber criminals.

E-mail addresses retrieved in a 2014 attack that compromised data on some 83 million JPMorgan Chase customers were later used in pump-and-dump schemes to boost stock prices, according to US federal indictments in the case in 2015.

Under Armour said in an alert on its website that it will require MyFitnessPal users to change their passwords, and it urged users to do so immediately.

The company bought MyFitnessPal in 2015 for US$475 million (S$622 million). It is part of the company's connected fitness division, whose revenue last year accounted for 1.8 per cent of Under Armour's US$5 billion in total sales.

REUTERS