Fitbit users fall victim to account takeovers. Don’t reuse passwords!

Online crooks have recently broken into dozens of Fitbit accounts using leaked email addresses and passwords from third-party sites.

BuzzFeed reports that it’s discovered at least 24 cases of attacks that took place in December.

Fitbit has declined to reveal how many users have been affected but told the publication that it was a “small proportion”.

Once inside the accounts of people who use the activity/sleep/weight/health trackers, the attackers changed users’ details and tried to order replacement items under the users’ warranties, Fitbit confirmed.

Getting into those accounts gave intruders access to personal user data including geolocation history that shows where a person regularly runs or cycles, as well as data about when they typically go to sleep.

Users on forums such as the Fitbit Community have complained about the attackers changing the names on victims’ accounts: one was changed to “threatable123,” while others have been changed to “vile” words.

One hates to blame the victims, but it sounds as though at least some of them may well have used the same email and password for other online accounts.

Appropriately enough, Fitbit reportedly sent a message to users instructing them to avoid reusing passwords across other accounts, which it said “leaves them more vulnerable to this type of malicious behavior.”

After it helped get affected users back their accounts, Fitbit sent them to a generic online safety advice page.

The advice to avoid password reuse is, in truth, pretty generic, but that’s because it’s very good advice.

As we’ve explained, even a long, strong, complicated password that looks devilishly hard to crack can become, effectively, a skeleton key to your whole online life if you’ve reused it.

But password reuse isn’t the only way for attackers to get their hands on exact login names and passwords: phishing and keylogging are another two ways to get that data.

As some users have pointed out, in addition to giving out advice about not reusing passwords, Fitbit could also make it harder for hijackers to take over accounts by using multifactor authentication.

Fitbit’s head of security, Marc Bown, said that’s a fair point, that the company’s actually looking at beefing up security in this “cat and mouse” game, and that two-step verification [2SV] is actually in the works:

It’s a fair criticism. We don’t have two-step verification on the site at the moment – it is something we’re working on actively.

Still and all, while 2SV – what’s also known as two-factor authentication (2FA) – might have helped shield users’ accounts, the recent breaches were lifted from a third-party site, which means that Fitbit’s systems weren’t breached.

Rather, Brown said, Fitbit is being victimized by fraudsters who got customers’ logins elsewhere.

The December attacks don’t represent a “spike” in fraudulent activity, he said: in fact, the company’s been targeted since its 2007 launch.

The company declined to put numbers around the ongoing attacks, but within a day of being contacted by BuzzFeed, it put up a page warning users about account takeover attempts.