Almost 2M Fitbit accounts exposed by cybercriminals - FAKE?
Update February 17, 2020:
After this report was published, the Fitbit’s representative responded to our queries denying a breach had happened. He told us the company had conducted a thorough investigation, resulting in a lack of indication of any breach of its system or other unauthorized access of Fitbit user data.
“In fact, nearly all of the included emails on the list are not, and have never been, associated with Fitbit users.” The company’s standpoint is that this dump is being misrepresented as Fitbit user data when it is actually a repackaging of other breach dumps (or a ‘combolist’), containing credentials stolen from other sources.
He added that the company “never stores passwords in plain text and instead uses a cryptographically expensive password hash function to protect user passwords”, as part of the control program to minimize the chances of security incidents such as the one we reported on.
BreachReport is continuously on the lookout for any data breaches, investigating the incidents, and communicating with the companies in question. In this case, the company has done all the necessary precautions and due diligence to remove any doubt in its capabilities to manage users’ private information.
That said, the company’s Facebook page contains a number of comments by users questioning its security methods and complaining their accounts have been taken over (i.e. email addresses changed). Fitbit seems to be doing its best to respond to each complaint individually, although some have still been left unresolved.
* * * *
A user on a well-known hacker community has leaked the emails and passwords of 1,999,999 users of the widely used health and fitness platform Fitbit, famous for its gadgets like smartwatches, and innovative fitness apps that track your training and sleeping patterns (among other things). The platform was recently acquired by Google LLC in a $2.1 billion USD deal.
Leaked information and its implications
The recently leaked information allows whoever has it to access users’ detailed exercise and fitness data, such as health statistics (blood pressure, heart rate, and so on), training hours, steps walked, walking, jogging and/or cycling history (GPS location, duration, etc.), workout sessions at a local gym, sleep patterns, and more, and use it to their advantage.
Having access to such data has potentially very dangerous implications. Namely, if a malicious individual (or a group) has set their sights on you, they can use this information to track you down and follow you.
This can make you, your household members, and property vulnerable to attacks, robberies, thefts, and many other dangerous scenarios, since they can find out all about your movements and habits, as well as where you’re going to be and what you’ll be doing at a specific time.
So if there’s someone out there dedicated to harm you, the latest Fitbit hack has absolutely opened a new venue for them to do so. For instance, if you were a wealthy high executive from JP Morgan or a similar organization, the Fitbit platform credentials allow hackers to access your most private information and use it to harm you if they wanted.
Unfortunately, this isn’t the first time Fitbit has been hacked. In January 2016, BuzzFeed News reported that dozens of Fitbit users’ online accounts had been attacked by hackers in December 2015. The cybercriminals used email addresses and passwords from third-party websites to log in to Fitbit accounts.
Then they changed the email addresses and usernames, as well as attempting to use the leaked data for filing false claims for replacement orders under users’ warranties. The attackers also gained access to other customer data such as GPS history and sleep patterns.
Fitbit responded by urging its users to refrain from reusing passwords across multiple accounts in order to avoid leaving them more vulnerable to this type of malicious behavior.
According to our security experts, 90% of the Fitbit file email-password combinations exposed in the latest breach have been found in the combo database called XSS.IS, the largest compiled dump containing email-plaintext password combinations from multiple websites.
One of the reasons could be that the service doesn’t restrict using simple passwords, increasing the incidence of email-password combination repetitions on multiple sites. A large number of Fitbit customers are using very simple digit combinations and phrases like ‘123456’ and ‘qwerty123’. Here is the list of the most repeated passwords in the latest breach:
Another reason could be that whoever published the XXS.IS has long been in possession of a part of the database. However, more will be known after we get a comment from Fitbit itself.
Founded in 2007 as Healthy Metrics Research Inc., the California-based company released its first device, the Fitbit Classic, to the consumer market in 2009. Fitbit has since become one of the largest wearable companies in shipments, with other great performers including Apple and Xiaomi.
Its range now includes a number of wireless-enabled wearable technology gadgets (like smartwatches and GPS chips in sneakers) that can measure and keep track of personal data such as heart rate, quality of sleep, steps walked, as well as many other metrics that have to do with fitness. In order to create your profile, the app typically asks for your gender, birth date, and weight.
Thanks to its integration with third-party apps, the devices can collect other related information such as physician and personal health coach statistics, nutrition summaries, body fat, glucose and A1C data, diet restrictions and preferences, period predictions, and more.
According to Statista, Fitbit’s revenue increased from just over $5 million USD in 2010 to more than $1.8 billion USD in 2015. The platform currently has around 28 million active users worldwide and has sold over 100 million devices. In November 2019, Google announced its intention to acquire Fitbit, Inc. for $2.1 billion USD.
* * * *
What to do if you think you’ve been hacked
If you suspect your Fitbit credentials have been exposed in this breach, go to www.breachreport.com and search for your email address in the database of breached accounts. If you find your account among those hacked, make sure to change the password immediately.
Furthermore, change the passwords of all the accounts on any other website where you used the same password. Other things you can do are listed in our Security Guide. And remember, even if you haven’t been hacked, it’s a very good idea to change your password from time to time.
In addition to incorporating the breach into our database, we have contacted Fitbit.com and are awaiting their clarification and official statement about the incident.