Online Criminals Hijack Fitbit User Accounts, Make Fraudulent Warranty Claims

Online fraudsters recently broke into a number of Fitbit customer accounts using leaked usernames and passwords from third-party websites. According to a report by BuzzFeed, at least two dozen cases were discovered in December. Fitbit did not disclose how many users were affected but told the publication it was a “small portion.” Once the intruders were able to gain access to customer accounts, users’ information was altered in order to prevent account owners from logging in. They then attempted to report defective devices and request new ones under the user’s warranty, confirmed the company. In an article posted on the company’s Help page, Fitbit assured customers that even though some of their information was accessed, their credit card information remained safe.

“Fitbit takes our obligation to safeguard customer information very seriously. We're vigilant in identifying, blocking, and addressing malicious activity. We lock accounts we believe have been compromised, meaning we reset the password and prompt the customer to create a new one. The metrics we monitor change over time as attackers change their approach.” 

The company also stated it had engaged with appropriate law enforcement authorities to “provide them with the information they need to pursue those responsible for this activity.” Fitbit’s head of security Marc Brown said the company is now looking into greater security controls, and has been investing “heavily” in security after multiple attempted attacks since its launch in 2007. “We don’t have two-step verification at the moment – it is something we’re working on actively,” he said. Brown stressed that Fitbit was not the victim of “hackers” but of fraudsters instead, due to the fact that the user’s credentials were stolen from a third-party site.