Bodybuilding.com Users Are Advised to Change Passwords After a Data Breach

Bodybuilding.com bills itself as more than just an online fitness shop. According to the About Us page, there are over 9 million members of BodySpace – Bodybuilding.com's social network for fitness enthusiasts who want to share recipes, videos, and exercise information with like-minded people. Last week, these users, as well as numerous others that have shopped at Bodybuilding.com, received a not very pleasant notification. With it, Bodybuilding.com admitted that it has discovered a data breach.

Bodybuilding.com was targeted by hackers

In a statement, Bodybuilding.com said that back in February, its security team noticed that something's not quite right. Realizing that it could be more serious than they hoped, they called a cybersecurity company to help them investigate the issue.

After close to two months of poking around, the experts concluded that Bodybuilding.com had fallen victim to a cyberattack that started in July 2018. Back then, the hackers sent a phishing email to one of the website's employees which gave them the information needed to infiltrate the fitness shop's systems. Bodybuilding.com said that while they have no stone-cold evidence of someone stealing and misusing user data, they can't rule it out.

Who was affected?

Bodybuilding.com isn't very keen on sharing too many details. The statement doesn't contain the number of affected individuals, for example. The wording, as vague as it is, however, does suggest that if you have a BodySpace account or if you have shopped at Bodybuilding.com, your information might have been accessed.

What sort of data was involved?

Bodybuilding.com was quick to point out that users' credit or debit card details have not been exposed. According to the statement, users who have opted to save their payment information in their accounts can rest assured that their financial data is safe because the website stores only the last four digits of customers' banking card numbers. Apart from that, pretty much everything else was there for the taking.

The fitness retailer said that as per the terms of service (which many people have likely failed to read), the data in users' BodySpace profiles was publicly available anyway. In addition to this, the hackers could have accessed names, emails, phone numbers, dates of birth, billing and shipping addresses, order histories, as well as the communication between users and Bodybuilding.com customer service agents. The people who have accessed Bodybuilding.com with the help of their Facebook accounts have one thing to cheer about – their passwords haven't been exposed. The rest should bear in mind that the hackers who infiltrated Bodybuilding.com's systems also had access to the users' login credentials.

How to change your Bodybuilding.com password?

Bodybuilding.com isn't taking any chances. It's already prompting users to change their passwords, and those who haven't done it by June 12 will have theirs automatically reset. We reckon that you should do it as soon as possible. According to the website's Help Section, the best way to change your Bodybuilding.com password is to log in to your account, go to http://my.bodybuilding.com/contactprefs/changepassword, and follow the instructions. If you can't remember your Bodybuilding.com password, you can go to https://www.bodybuilding.com/profile/forgot-password and reset it. As always, people who have reused the same login information for multiple websites are advised to change it at the other locations as well.

The people behind Bodybuilding.com apologized for any inconvenience and urged users to stay alert for any phishing and spam emails as well as other suspicious activity. What they didn't say was how they store people's passwords. The fact that they're urging everyone to update their login information, however, suggests that so far, the online shop's password storage mechanisms haven't been the best.