Dozens of Fitbit accounts have been broken into by online fraudsters in what the company calls a “malicious attack,” according to BuzzFeed News who originally broke the story. Email addresses and passwords from third-party sites were leaked in December, which the hackers then used to log into users Fitbit accounts. At least 24 cases have been discovered so far. The company says this is a “small proportion” of its users.
The attackers used the accounts to try and order replacement parts under the user’s warranty after changing the details. They were also provided with personal data on the user, such as typical exercise locations and time the person usually goes to sleep.
Users who had been attacked say that when they tried to log into their accounts their associated email addresses had been changed and user names had been updated to “vile” words. However, a spokeswoman for Fitbit stated that the company’s computer servers had not been hacked, and credit card information has not been threatened.
A statement from the company said that they take the security of their customers’ accounts very seriously, and that they have reset the passwords of those users affected by the attack. They recommend that, in order to prevent this type of attack, customers not reuse passwords from other accounts, as this leaves them more vulnerable to “malicious behavior.” They also stated that the data was compromised from other third-party sites which were unrelated to Fitbit.
Fitbit users have been angry over the company’s response to the hack, which they see as blaming the user for the security issues and trying to cover up the attack. Those with issues were assisted in setting their accounts back up and then directed to a generic online safety page.
Marc Brown, Fitbit head of security, said the company is looking into greater security controls. He confirmed that this is not the first time attackers have tried to get into their customer accounts since the company was launched in 2007.