Skip To Content
BuzzFeed News Home Reporting To You

Utilizamos cookies, próprios e de terceiros, que o reconhecem e identificam como um usuário único, para garantir a melhor experiência de navegação, personalizar conteúdo e anúncios, e melhorar o desempenho do nosso site e serviços. Esses Cookies nos permitem coletar alguns dados pessoais sobre você, como sua ID exclusiva atribuída ao seu dispositivo, endereço de IP, tipo de dispositivo e navegador, conteúdos visualizados ou outras ações realizadas usando nossos serviços, país e idioma selecionados, entre outros. Para saber mais sobre nossa política de cookies, acesse link.

Caso não concorde com o uso cookies dessa forma, você deverá ajustar as configurações de seu navegador ou deixar de acessar o nosso site e serviços. Ao continuar com a navegação em nosso site, você aceita o uso de cookies.

Online Criminals Are Targeting Fitbit User Accounts

Fraudsters have been using leaked data to take over Fitbit accounts in an attempt to defraud the company, BuzzFeed News can reveal.

Posted on January 6, 2016, at 10:30 a.m. ET

FitBit / Via

Online fraudsters have broken into dozens of Fitbit accounts in the past month in what the company has admitted is a "malicious" attack, BuzzFeed News has discovered.

The criminals used leaked email addresses and passwords from third-party sites to log into accounts in a string of attacks in December. BuzzFeed News has discovered at least 24 cases so far, but the company has refused to reveal how many of its users have been affected beyond saying it is a "small proportion".

Once inside the accounts, the attackers changed the details and attempted to defraud the company by ordering replacement items under the user's warranty, Fitbit confirmed. They also had access to customer data including GPS history, which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep.

Users said when they tried to log in their associated email addresses had been changed to addresses such as "threatable123" and that some usernames had been changed to "vile" words.

Worried users flocked to Fitbit's forum to raise concerns about the security of the devices – which monitor heart rate, weight, sleeping patterns, and exercise to help improve health.

Fitbit / Via

Yesterday Fitbit unveiled its latest device, Blaze, designed to take on the Apple Watch.

Speaking to BuzzFeed News, users said they were furious with Fitbit's response to the attacks. Several accused the company of failing to act quickly or appropriately, and of blaming the users for the security issues.

In a message to users, Fitbit urged them to avoid reusing passwords across other accounts, which, it said, "leaves them more vulnerable to this type of malicious behaviour" and directed them to a generic online safety advice page after helping set their accounts back up.

BuzzFeed News understands that in one instance a customer service representative said on Fitbit's forum that the people breaking into accounts were based in Ireland. The post was, however, swiftly deleted.

"Fitbit's response across the forums has been to try and cover this up," one user said, accusing the company of refusing to acknowledge any problem by "blaming" the actions of customers instead.

Others raised concerns about Fitbit's light verification process and the absence of two-step verification for account changes. They said the company should be "more careful with customer data".

Fitbit / Via

Fitbit denied that it had handled the attacks poorly and insisted it did not have a security problem.

However, head of security Marc Bown said the company was now looking into greater security controls and said outwitting fraudsters was like a game of "cat and mouse".

"It's a fair criticism. We don't have two-step verification on the site at the moment – it is something we're working on actively," he said. He was clear, however, that because the emails and passwords had been stolen from a third-party site, Fitbit was not the victim of "hackers" but of fraudsters instead.

Bown also confirmed this was not the first time online criminals have tried to get into Fitbit customers' accounts – but declined to say how many accounts had been affected and denied the surge in attacks in December represented a "spike" in fraudster activity.

He said the company had been investing "heavily" in security this year after multiple attempted attacks since Fitbit was launched in 2007. It was a global issue, he said.

Fitbit is currently recruiting for a fraud prevention manager to head up a team of five at its head office in San Francisco.

Fitbit/Jobvite / Via

A spokesperson added: "Fitbit takes our obligation to safeguard customer personal information very seriously and we are vigilant in identifying, blocking, and addressing this type of malicious nefarious activity. We take measures to reset the passwords of affected users and prompt those users to create new passwords."

On Wednesday afternoon, 24 hours after BuzzFeed News approached Fitbit for a response, the company posted a page warning users about the fraud.

A BuzzFeed News investigation, in partnership with the International Consortium of Investigative Journalists, based on thousands of documents the government didn't want you to see.