Online fraudsters have broken into dozens of Fitbit accounts in the past month in what the company has admitted is a "malicious" attack, BuzzFeed News has discovered.
The criminals used leaked email addresses and passwords from third-party sites to log into accounts in a string of attacks in December. BuzzFeed News has discovered at least 24 cases so far, but the company has refused to reveal how many of its users have been affected beyond saying it is a "small proportion".
Once inside the accounts, the attackers changed the details and attempted to defraud the company by ordering replacement items under the user's warranty, Fitbit confirmed. They also had access to customer data including GPS history, which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep.
Users said when they tried to log in their associated email addresses had been changed to addresses such as "threatable123" and that some usernames had been changed to "vile" words.
Worried users flocked to Fitbit's forum to raise concerns about the security of the devices – which monitor heart rate, weight, sleeping patterns, and exercise to help improve health.
Speaking to BuzzFeed News, users said they were furious with Fitbit's response to the attacks. Several accused the company of failing to act quickly or appropriately, and of blaming the users for the security issues.
In a message to users, Fitbit urged them to avoid reusing passwords across other accounts, which, it said, "leaves them more vulnerable to this type of malicious behaviour" and directed them to a generic online safety advice page after helping set their accounts back up.
BuzzFeed News understands that in one instance a customer service representative said on Fitbit's forum that the people breaking into accounts were based in Ireland. The post was, however, swiftly deleted.
"Fitbit's response across the forums has been to try and cover this up," one user said, accusing the company of refusing to acknowledge any problem by "blaming" the actions of customers instead.
Others raised concerns about Fitbit's light verification process and the absence of two-step verification for account changes. They said the company should be "more careful with customer data".
Fitbit denied that it had handled the attacks poorly and insisted it did not have a security problem.
However, head of security Marc Bown said the company was now looking into greater security controls and said outwitting fraudsters was like a game of "cat and mouse".
"It's a fair criticism. We don't have two-step verification on the site at the moment – it is something we're working on actively," he said. He was clear, however, that because the emails and passwords had been stolen from a third-party site, Fitbit was not the victim of "hackers" but of fraudsters instead.
Bown also confirmed this was not the first time online criminals have tried to get into Fitbit customers' accounts – but declined to say how many accounts had been affected and denied the surge in attacks in December represented a "spike" in fraudster activity.
He said the company had been investing "heavily" in security this year after multiple attempted attacks since Fitbit was launched in 2007. It was a global issue, he said.
Fitbit is currently recruiting for a fraud prevention manager to head up a team of five at its head office in San Francisco.
A spokesperson added: "Fitbit takes our obligation to safeguard customer personal information very seriously and we are vigilant in identifying, blocking, and addressing this type of malicious nefarious activity. We take measures to reset the passwords of affected users and prompt those users to create new passwords."
On Wednesday afternoon, 24 hours after BuzzFeed News approached Fitbit for a response, the company posted a page warning users about the fraud.
Sara Spary is a consumer business correspondent for BuzzFeed News and is based in London.
Contact Sara Spary at firstname.lastname@example.org.
Got a confidential tip? Submit it here.