From time to time, unauthorized parties may attempt to log into Fitbit accounts after stealing the usernames and passwords from another source. This article explains how to protect your account.
Why would someone want to take over my Fitbit account?
An "account takeover" is a phenomenon that affects many popular online destinations, especially if attackers can find a way to make money. While it's not possible for someone to access your credit card information via your Fitbit account, we saw an elevated level of interest in Fitbit once attackers figured out it was sometimes possible to obtain a replacement (per our warranty) and then sell it.
Importantly, the account owners are not charged for the warranty replacement, and most of these warranty replacement attempts are caught by Fitbit’s fraud management tools and personnel and then referred to law enforcement.
How does this happen?
The most common way for an account to be taken over is for an attacker to learn the correct username and password associated with the account.
There are a couple main ways that attackers do this:
- By reusing username and password combinations stolen from other online sites or accounts. Since many people use the same username and password across multiple online sites, a compromise of one site can lead to compromises elsewhere.
- By using keylogging and other malware on people’s machines to capture passwords as they are typed.
What is Fitbit doing about this threat?
Fitbit takes our obligation to safeguard customer information very seriously. We're vigilant in identifying, blocking, and addressing malicious activity. We lock accounts we believe have been compromised, meaning we reset the password and prompt the customer to create a new one. The metrics we monitor change over time as attackers change their approach.
What can I do to prevent an account takeover?
Follow these three key tips:
- Make sure you use a different password for every online account. Since it is challenging if not impossible to remember passwords, we recommend using a password manager to help. Many excellent options are available, including free solutions built into many popular web browsers. You can also read our tips for creating a secure password in How do I create a secure password?
- Take steps to keep your computer free from malware.
- Consider keeping tabs on your accounts by using a monitoring service like https://haveibeenpwned.com. These services will let you know if your account details are leaked anywhere online.
I think my account has been taken over. What should I do?
If you still have access to your account, change your password to a new, unique password that you’ve never used before.
If you can no longer access your account, please contact Fitbit Customer Support
and tell us you suspect an account takeover. We'll route the case to our security team as soon as possible.
I received an email about a password reset request I didn't make. What should I do?
If you received an email about resetting your password and you did not make a password reset request, we recommend you create a new, unique password:
- Log into fitbit.com and click the gear icon in the top right corner.
- Select "Settings."
- Choose the "Reset Password" option that appears under your email address.
Note that you can only change your password on fitbit.com; this option isn't available in the Fitbit app.
If you continue to get password reset emails after changing your password, it's likely that "bad actors" are testing accounts for access; we're doing our best to prevent this annoyance. It's possible that you'll receive these emails in multiple languages.
As long as you created a unique password, your Fitbit account is secure and you can disregard any password-related emails that you didn't initiate. We don’t recommend marking these emails as spam however, since doing so may prevent you from receiving legitimate Fitbit email in the future.
I think the email address of my Fitbit account has been changed. What should I do?
As part of an account takeover, attackers sometimes change the email address associated with the accounts that they access. Contact Fitbit Customer Support and we'll reset your account if needed.
Has my credit card been compromised?
As previously mentioned, even with your username and password an attacker cannot access your credit card details.
Why don’t you offer multi-factor authentication?
Customers using “Log in with Google” can make use of multi-factor authentication today. We are also working on native multi-factor authentication for Fitbit.com accounts.