Updated Nov 15, 2019

Notice of security incident

We recently identified and addressed a security incident involving a subset of user data.We know transparency is important to our community, and we want to share with you what we have learned from our investigation, the measures we have taken, as well as steps you can take.

What happened

We recently identified unauthorized access to some of our databases containing certain Running Room users’ account information, including account credentials. In response to this discovery, we immediately launched an investigation. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Running Room user information on Nov 14, 2019.

What information was involved

The databases involved may have contained your Running Room username, cryptographically protected password and email address. Running Room has always cryptographically protected passwords using a technique known by security experts as “salted hashing.” The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combinationwith the hashing algorithms makes it very difficult and requires significant computing resources to crack these hashed passwords. Importantly, we do not collect from users, and this incident did not involve, Social Insurance numbers or other government-issued IDs, bank account, credit card, or other financial information.

What we are doing

We detected the unauthorized access and blocked it immediately then made additional changes to our site to prevent this from recurring. You are not required to take any specific action. Additionally, to help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additionalways to strengthen the security of our systems. We also notified the Office of the Information and Privacy Commissioner of Alberta.

What you can do

You can continue to use Running Room without further action. However, next time you log into your account, you may want to reset your password. You will find instructions onour support page (linked below) explaining how to create a new password. Also, if you use the same username and password you created for Running Room for any other online service, we recommend you change your password there, too.

What is a hashed password?

When hashed, a password converts to a random-looking string of characters through cryptographic algorithms. The basic operation of hash functions do not require any key and operate in a one-way manner. The benefit of hashing passwords is that we never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computing resources to crack these passwords.

What is “bcrypt”?

Bcrypt is an adaptive password hashing mechanism that uses a block cipher cryptographic algorithm and other security features, including multiple rounds of computation, to provide advanced protection against password cracking.

What is password salting?

Adding “salt” to a hashed password provides an additional layer of security, specifically against brute force attacks. The salts Running Room used were unique to each user.

How did you learn about the incident?

Our engineering team became aware of the incident after identifying suspicious activity in the environment where the databases reside.

Were all Running Room user accounts involved?

No. Not all Running Room users’ accounts were involved in the incident. Only a small portion of our accounts was involved; we do not consider that there exists a real risk of significant harm to an individual as a result of the unauthorized access.

How many accounts were involved?

We’re still in the process of determining the total number. We do know that not all accounts were compromised.

Have you reported this incident?

Yes, we notified the Office of the Information and Privacy Commissioner of Alberta.

If my data was involved, what are my risks? Could my identity be stolen?

We do not consider that there exists a real risk of significant harm to an individual as a result of unauthorized access. Running Room does not collect from users, and this incident did not involve sensitive personal information like government-issued IDs (like Social Insurance numbers and driver’s license numbers) or payment cards, bank account, or other financial information.As a precaution, we recommend you change any password you use for other accounts ifit is the same or similar to your Running Room password. You should regularly change all passwords and not use the same or similar passwords for different online accounts.

Is it safe to continue using my Running Room account?

Yes. Running Room has always cryptographically protected passwords using a techniqueknown by security experts as “salted hashing.” The benefit of hashing passwords is thatwe never need to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computing resources to crack these hashed passwords. Importantly,we do not collect from users, and this incident did not involve, Social Insurance numbersor other government-issued IDs, bank account, credit card, or other financial information.

We take our obligation to safeguard your data very seriously and are alerting you aboutthis issue so you can take steps to help protect your information. We recommend you:

  • Watch out for potential phishing scams, spam emails including any email from the sender - runningroom.com or any email from us requesting or advising of payment, please do not open and do not click any links.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

How do I reset my password?

If you are on the Web, you can reset your password at www.runningroom.com/password. Please note to reset your password, you will need access to the email address associated with your Running Room account. If you need additional help, please select Contact Uson the Running Room Support page or email us at loginhelp@runningroom.zendesk.com.