Fitbit users' details are being traded on the internet for as little as 50 cents (35p) each, according to fraudsters who say hundreds of accounts have been affected during a recent spate of attacks.
Two weeks after BuzzFeed News first reported that Fitbit customer accounts had been broken into by criminals who then tried to obtain items under warranty, people who claim to be involved in attempts to defraud the company have revealed how and why it is being targeted.
Several people, including two who say they broke into accounts, have told BuzzFeed News that account logins and passwords of Fitbit owners have been leaked from third-party sites. They are then traded online traded online in hacker forums for between 50 cents and $5, depending on the value of the device they are connected to.
The self-styled scammers say the number of users affected has been massively underestimated – our initial story cited at least 24 cases. We have seen evidence of what appears to be hundreds currently being traded online.
BuzzFeed News could not independently verify the individuals who have approached us anonymously, but we asked them to provide evidence to back up their claims.
They provided us with what they claim to be photographs of fraudulently obtained Fitbit devices, five replacement order confirmations from Fitbit to various addresses, and links to step-by-step instructions on how to break into stolen accounts.
They also directed us to eight online forums where people are trading Fitbit accounts, and to sites where dozens of Fitbit accounts are currently listed as "in stock" and can be bought illegally. They said some criminals charge up to $60 to obtain the devices for the customer themselves, taking payment via PayPal and bitcoin.
"I am one of the people who may have been defrauding Fitbit for free Surges, Charge HRs, and some of the cheaper Fitbit products," said one who approached BuzzFeed News.
"Many, many more than 24 have been hacked. I suspect at least 1,000 (likely more, but I cannot confirm because there were a lot of people doing it). I also know some of the other people who actively or used to defraud Fitbit before they tightened up security."
Fitbit now recommends customers avoid reusing passwords across different sites and make use of multi-factor authentication by signing in via Google wherever possible.
"There are entire communities based around warranty fraud, and social engineering that I do and hacking," the person said. "There are periods of time that a company's warranty procedure is abused by us. ... This continues until the company changes their policy.
"I personally have had five Fitbits sent to me under different names and empty addresses, and have [got] 20 [for] people who have paid me £30 for a Surge and £20 for a Charge HR."
"What tends to happen is completely random companies will be targeted. I will browse the internet for say, wireless speakers and message some companies," the person said, adding that Spotify and Netflix had all faced similar issues in the past.
"Other people do it different ways, [it] depends how much time you want to spend on it. Sometimes you can examine their policies, other times you just email them, call them, and see what happens."
Fitbit, he claimed, "became 'mainstream' in the fraud scene in the past months when we realised how terrible account security was and how easily they gave out replacements".
The accounts have been leaked and stolen, Fitbit said, from other third-party sites where the customer has used the same password. The criminal then attempts to match the password against other sites where it may have been used.
"One of the first Fitbits I did took me about three minutes in the Fitbit support chat," the person boasted. "There is a lot of information [on the Fitbit accounts] that some people could consider to be very personal because of the GPS feature on the Surge."
Another person who approached BuzzFeed News claiming to have defrauded Fitbit said the majority of people "defrauding" the company were "not even past the age of 20".
"I'll tell you now, I know 15-year-olds whom have done it," he said.
Fitbit has labelled the attacks an "unfortunate" part of doing business online, but there are question marks over why it has been slow to stamp it out.
One security expert said the company had been "heavily abused for the past few years".
"The number is definitely in the thousands," he said.
"Basically, about 1–2 years ago people would call them up, claim their device was defective, and Fitbit would send out a replacement. Then they started asking for more proof – either a receipt and a photo or the account the device was linked too. People would forge fake receipts (usually Amazon.com ones) ... and Photoshop pictures.
"Eventually, Fitbit stopped accepting this excuse. So people started 'cracking' accounts and selling them about six months ago." Some of the accounts can be sold on open forums, the security expert said, while others are invite-only.
"You'll notice that none of these forums are on the dark net or deep web," he said. "That's because with this type of fraud the risk is very low. Not a lot of people get arrested for this type of stuff compared to other types of fraud and credit card, identify fraud, and so on.
"People aren't afraid to brag about the number of Fitbits they fraudulently obtain either."
Carly is a Fitbit user who logged into her account in December to discover she had been locked out. Her password, email, and username had been changed by an imposter posing as a genuine customer in a bid to defraud Fitbit by claiming on her warranty for a replacement device to be sold on the black market.
The fraudsters also had access to personal data of accounts they broke into, including weight, GPS data, for regular running routes, and even information about sleeping patterns – although there is no suggestion they wished to use it. She told BuzzFeed News she waited five days for Fitbit to respond.
A spokesperson for Fitbit confirmed the company is looking to introduce additional security measures in 2016 to help better protect customers from this type of attack.
But while the business prepares to beef up security, customers have continued to raise the alarm that their accounts had been broken into in fresh attacks, including as recently as Wednesday.
One user posted to Fitbit's customer service forum: "I called customer support and was told they were experiencing high-volume and my case was sent to security. It's now over three days later and I have not received any response from anyone."
But Fitbit denied it had dealt slowly with the issue and said delivering superior customer service was a top priority.
"We take our obligation to protect customer information very seriously," said a spokeswoman.
"Attempts to get something for nothing and defraud customer service are an unfortunate cost of doing business, especially for popular brands like Fitbit, which is why we are vigilant in identifying, blocking, and addressing malicious activity.
"We take immediate action for accounts where we notice suspicious activity by resetting the password and prompting the customer to create a new one.
"The metrics we monitor change over time as attackers change their approach. Fitbit also engages with appropriate law enforcement authorities to provide them with the information they need to pursue those responsible for this type of activity."
BuzzFeed News has also contacted Netflix and Spotify but neither company provided comment at the time of writing.
Sara Spary is a consumer business correspondent for BuzzFeed News and is based in London.
Contact Sara Spary at email@example.com.
Got a confidential tip? Submit it here.