Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Fitbit users fall victim to account takeovers. Don’t reuse passwords!

11 Jan 2016 3 Data loss, Privacy, Security threats

Post navigation

Previous: Majority of parents monitor their teens’ digital activity. Do you?
Next: Hacked Twitter account embarrasses UK Labour leader Jeremy Corbyn
by Lisa Vaas

Online crooks have recently broken into dozens of Fitbit accounts using leaked email addresses and passwords from third-party sites.

BuzzFeed reports that it’s discovered at least 24 cases of attacks that took place in December.

Fitbit has declined to reveal how many users have been affected but told the publication that it was a “small proportion”.

Once inside the accounts of people who use the activity/sleep/weight/health trackers, the attackers changed users’ details and tried to order replacement items under the users’ warranties, Fitbit confirmed.

Getting into those accounts gave intruders access to personal user data including geolocation history that shows where a person regularly runs or cycles, as well as data about when they typically go to sleep.

Users on forums such as the Fitbit Community have complained about the attackers changing the names on victims’ accounts: one was changed to “threatable123,” while others have been changed to “vile” words.

One hates to blame the victims, but it sounds as though at least some of them may well have used the same email and password for other online accounts.

Appropriately enough, Fitbit reportedly sent a message to users instructing them to avoid reusing passwords across other accounts, which it said “leaves them more vulnerable to this type of malicious behavior.”

After it helped get affected users back their accounts, Fitbit sent them to a generic online safety advice page.

The advice to avoid password reuse is, in truth, pretty generic, but that’s because it’s very good advice.

As we’ve explained, even a long, strong, complicated password that looks devilishly hard to crack can become, effectively, a skeleton key to your whole online life if you’ve reused it.

But password reuse isn’t the only way for attackers to get their hands on exact login names and passwords: phishing and keylogging are another two ways to get that data.

As some users have pointed out, in addition to giving out advice about not reusing passwords, Fitbit could also make it harder for hijackers to take over accounts by using multifactor authentication.

Fitbit’s head of security, Marc Bown, said that’s a fair point, that the company’s actually looking at beefing up security in this “cat and mouse” game, and that two-step verification [2SV] is actually in the works:

It’s a fair criticism. We don’t have two-step verification on the site at the moment – it is something we’re working on actively.

Still and all, while 2SV – what’s also known as two-factor authentication (2FA) – might have helped shield users’ accounts, the recent breaches were lifted from a third-party site, which means that Fitbit’s systems weren’t breached.

Rather, Brown said, Fitbit is being victimized by fraudsters who got customers’ logins elsewhere.

The December attacks don’t represent a “spike” in fraudulent activity, he said: in fact, the company’s been targeted since its 2007 launch.

The company declined to put numbers around the ongoing attacks, but within a day of being contacted by BuzzFeed, it put up a page warning users about account takeover attempts.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Majority of parents monitor their teens’ digital activity. Do you?
Next: Hacked Twitter account embarrasses UK Labour leader Jeremy Corbyn

3 comments on “Fitbit users fall victim to account takeovers. Don’t reuse passwords!”

  1. Kyle Saia says:
    January 12, 2016 at 6:29 pm

    wow something to think about here. If someone is able to access your fitbit account they can get a lot of scary information about you. I would think Fitbit would make 2FA a priority at this point. I wounder if these users are going to start being victims to break in’s now.

    Reply
  2. Alistair McQuade says:
    February 15, 2016 at 7:06 pm

    My account was hacked, and yet I have a very good password procedures. Fitbit have been slow to respond, and repeatedly fail to actually locate my account. They say that it is the fault of the users, but they clearly have completely inadequate controls In place, otherwise how can somebody take over an account without any form of authentication? In this day and age, multi-factor authentication should be standard for any system holding personal data like this. Fitbit need act more accountable, and they need to seriously beef up their support response which is completely inadequate.

    Reply
  3. PJ says:
    February 8, 2019 at 3:49 am

    I was hacked twice! Support is terrible. They acted like it was my fault!! Buy another tracker. If they don’t care enough to secure our accounts they don’t deserve our business!

    Reply

What do you think? Cancel reply

Recommended reads

Dec30
by Paul Ducklin
4

Naked Security 33 1/3 – Cybersecurity predictions for 2023 and beyond

Jan01
by Paul Ducklin
2

PyTorch: Machine Learning toolkit pwned from Christmas to New Year

Jan16
by Paul Ducklin
0

Multi-million investment scammers busted in four-country Europol raid

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP