The MyFitnessPal database has been compromised for years. I register with a unique email address for every website and app that I use so that I can tell when somebody's database gets compromised or they sell my data. I started getting an influx of spam to my MyFitnessPal email years ago. I told them about it at the time but they didn't care.
I never agree to sharing my email address with partners, so if that's the case, then it was without my consent.
However generally speaking, I've noticed there's a big difference in the spam you get from somebody selling your data and the spam you get from a database compromise. When somebody sells your data, you get spam from real organisations who happen to be acting in a sleazy way (e.g. bulk promo emails sent to people without their consent). When somebody's database gets compromised, you get things like phishing emails and V14gr4-style emails designed to bypass spam filters. The MyFitnessPal spam was the latter sort.
This was sent to an email address I've only ever given to MyFitnessPal. MyFitnessPal say the breach happened in late February of this year, but this email was sent in August of last year.
As mentioned in the Reddit thread, the terms now specify that that they share your data with partners. I guess the consent they got from you was "Oh hi, so here's the new version of the app, btw we updated our policies, click anywhere to agree".
It seems like a lot of people think that the existence of a privacy policy means they can do whatever they want. This isn't true.
Did you read the privacy policy? It says:
> only to the extent it is necessary for them to (1) provide their products and services to us, or (2) to provide you the products and services that you have requested.
This certainly doesn't cover the kind of spam I mentioned.
Also, I stopped using the app before that privacy policy was ever written. I've searched my email and they never emailed me about it either. I've never been notified about a new privacy policy.
However generally speaking, I've noticed there's a big difference in the spam you get from somebody selling your data and the spam you get from a database compromise
Even if this is true, the sold data may be compromised further down the line.
Perhaps so. As far as I'm concerned, MyFitnessPal and Under Armour would still be responsible in this case. If you share my personal data with somebody, and their security isn't good enough, that's on you.
The way most people do this is with plus addressing. If your mail provider supports it (e.g. Gmail does), you can send email to someuser+somewebsite@example.com and it will be delivered to someuser@example.com. There are a minority of websites and apps that reject emails like that, but they are quite rare and the vast majority don't have any issue with it.
If you have your own domain name, you can set up a catch-all address, so if you own example.com, then you can register on websites and in apps with somewebsite@example.com instead. This works everywhere.
You can then look at what email address an email was addressed to to see how the sender got hold of your email address, and you can filter and block future emails based on that address as well. So if, for instance, you've registered with MyFitnessPal with myfitnesspal@example.com, then you can cut off everybody who's got hold of your email address via the MyFitnessPal breach with 100% effectiveness using one spam rule.
With some email providers you can add something after your email address like this:
realemailaddress+myfitnesspal@example.com
Or:
realemailaddress+0f3eda@example.com
The assumption here is that you have something to keep track of what code you've assigned to what service.
Of course, some services don't allow a + in the email address so this only goes so far.
If you want to get slightly fancier, you could use your own domain and a catchall alias that sends everything to your real mailbox. That lets you use an address that doesn't have any obvious relationship to your real email address, apart from the domain name.
If you want to get ultra fancy, you could run your own mail server and set up a process to generate unique email addresses on the fly and keep track of which service was given which address. This is really just attaching some automation to the previous example, possibly using 'real' mailboxes for the incoming email.
