[Thriptic]

It's funny you would mention that because I also got annoyed by this and submitted a feature request for https. This is the response I received:

Hello,

Thanks for writing into us regarding https on MyFitnessPal.

We have technical and organizational measures in place to protect your information. Specifically, we have a secure login process designed to protect your information as you access MyFitnessPal (i.e., login and profile data are submitted using HTTPS POST actions).

The login pages of the MyFitnessPal that are encrypted via https include:

http://www.myfitnesspal.com http://www.myfitnesspal.com/login http://www.myfitnesspal.com/logout

Although our home page at http://www.myfitnesspal.com may not indicate the presence of https in your browser's interface, the actual login "lightbox" or pop-over window on the home page does send your login credentials via https.

After login, the MyFitnessPal website does not always load in HTTPS only mode (i.e. padlock not fully closed or green). This is because we sometimes load public content like images, public text from Under Armour, images & text from our advertising partners, and other non-user data using HTTP. While we load that public content using HTTP, we load user content using HTTPS.

We also continue to evaluate the security of our platforms, and have a dedicated team of cybersecurity professionals focused on this area. We will continue to review our security protocols to protect personal data.

Please let us know if you have additional questions or concerns.

[nathanaldensr]

It's hard to believe that not only are they this clueless, but they also are trying to justify their idiotic decisions. Jesus, how hard can it be to set up TLS? Let's Encrypt, anyone?

[Someone1234]

That's an extremely embarrassing response. Helps me understand how this data breach occurred if an organization is this uninformed about basic security.

[Rick-Butler]

tag Troy Hunt and underarmor on Twitter with a pic of this, sit back and enjoy.