Certain Fitbit accounts have been recently reported as compromised. IT security blogging guru, Brian Krebs reached out to Fitbit CSO, Marc Brown, who has confirmed that it is not a massive breach of account databases, but rather stolen individual account passwords. [i]
The wearable, wireless-enabled, activity tracking company Fitbit, recently discovered that the attack was a result of two sources; hacked information coming from password-stealing malware, and data being hacked from customers who continue to use the same username/password combinations across various online sites. Once these hackers are logged into the accounts, they change all associated passwords and block the actual account holder from logging in. With control of these accounts, the hackers then send in requests to Fitbit looking for new devices, claiming the need to replace faulty ones. [ii]
Attackers are targeting premium devices, such as the Surge, that retails for $250, for warranty fraud.
Fitbit is considering implementing a 2-factor authentication process to help overcome account hijacking. This would involve the company sending a one-time code to an account holder’s mobile device that would require it to be inputted in conjunction with their username and password, [i] much like you see when using online banking.
The fundamental point to be taken away, was that this was not a widespread hack of the physical wearable devices themselves, but rather an attack on consumer accounts. It’s common knowledge that most wearables require programs that are run through various systems other than the owning company, this typically enhances the overall customer satisfaction. If these other systems are not secured properly, then the wearables security is a disputable point.
What consumers and anyone who has ever used a password needs to take away from this is that the risk of using these devices and how to best protect them, inevitably falls on the consumer to an extent.
If you feel the company is not serious enough about your data security consider other devices, or chose not to use certain apps. The potential for your personal information to be exposed is not worth the risk.
Please connect with Secure Sense on LinkedIn, follow us on Twitter @Securesense and on Google+ for current company and industry news.
[i] To read more on Kreb’s talk with Fitbit read here:
http://krebsonsecurity.com/2016/01/account-takeovers-fueling-warranty-fraud/#more-33510
[ii] More from ESET’s blog:
http://www.welivesecurity.com/2016/01/12/fitbit-hacking-mean-wearables-iot/