Online Criminals Are Targeting Fitbit User Accounts
Fraudsters have been using leaked data to take over Fitbit accounts in an attempt to defraud the company, BuzzFeed News can reveal.
FitBit / Via fitbit.com
Online fraudsters have broken into dozens of Fitbit accounts in the past month in what the company has admitted is a "malicious" attack, BuzzFeed News has discovered.
The criminals used leaked email addresses and passwords from third-party sites to log into accounts in a string of attacks in December. BuzzFeed News has discovered at least 24 cases so far, but the company has refused to reveal how many of its users have been affected beyond saying it is a "small proportion".
Once inside the accounts, the attackers changed the details and attempted to defraud the company by ordering replacement items under the user's warranty, Fitbit confirmed. They also had access to customer data including GPS history, which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep.
Users said when they tried to log in their associated email addresses had been changed to addresses such as "threatable123" and that some usernames had been changed to "vile" words.
Worried users flocked to Fitbit's forum to raise concerns about the security of the devices – which monitor heart rate, weight, sleeping patterns, and exercise to help improve health.
Yesterday Fitbit unveiled its latest device, Blaze, designed to take on the Apple Watch.
Fitbit / Via mms.businesswire.com
Speaking to BuzzFeed News, users said they were furious with Fitbit's response to the attacks. Several accused the company of failing to act quickly or appropriately, and of blaming the users for the security issues.
In a message to users, Fitbit urged them to avoid reusing passwords across other accounts, which, it said, "leaves them more vulnerable to this type of malicious behaviour" and directed them to a generic online safety advice page after helping set their accounts back up.
BuzzFeed News understands that in one instance a customer service representative said on Fitbit's forum that the people breaking into accounts were based in Ireland. The post was, however, swiftly deleted.
"Fitbit's response across the forums has been to try and cover this up," one user said, accusing the company of refusing to acknowledge any problem by "blaming" the actions of customers instead.
Others raised concerns about Fitbit's light verification process and the absence of two-step verification for account changes. They said the company should be "more careful with customer data".
via BuzzFeed - Tech http://ift.tt/1S4aFGp
Put the internet to work for you.
No comments: