Can someone take over my Fitbit account?
From time to time, unauthorized parties may attempt to log into Fitbit accounts after stealing the usernames and passwords from another source. This article explains how to protect your account.
An "account takeover" is a phenomenon that affects many popular online destinations, especially if attackers can find a way to make money. While it's not possible for someone to access your credit card information via your Fitbit account, we saw an elevated level of interest in Fitbit once attackers figured out it was sometimes possible to obtain a replacement (per our warranty) and then sell it.
Importantly, the account owners are not charged for the warranty replacement, and most of these warranty replacement attempts are caught by Fitbit’s fraud management tools and personnel and then referred to law enforcement.
The most common way for an account to be taken over is for an attacker to learn the correct username and password associated with the account.
There are a couple main ways that attackers do this:
- By reusing username and password combinations stolen from other online sites or accounts. Since many people use the same username and password across multiple online sites, a compromise of one site can lead to compromises elsewhere.
- By using keylogging and other malware on people’s machines to capture passwords as they are typed.
Fitbit takes our obligation to safeguard customer information very seriously. We're vigilant in identifying, blocking, and addressing malicious activity. We lock accounts we believe have been compromised, meaning we reset the password and prompt the customer to create a new one. The metrics we monitor change over time as attackers change their approach.
Follow these three tips:
- Make sure you use a different password for every online account. Since it is challenging if not impossible to remember passwords, we recommend using a password manager to help. Many excellent options are available, including free solutions built into many popular web browsers. You can also read our tips for creating a secure password in How do I change or reset my Fitbit password?
- Take steps to keep your computer free from malware.
- Consider keeping tabs on your accounts by using a monitoring service like haveibeenpwned.com. These services will let you know if your account details are leaked anywhere online.
If you still have access to your account, change your password to a new, unique password that you’ve never used before.
If you can no longer access your account, contact Customer Support and tell us you suspect an account takeover. We'll route the case to our security team as soon as possible.
If you received an email about resetting your password and you did not make a password reset request, we recommend you create a new, unique password:
- From your fitbit.com dashboard, click the gear icon > Settings.
- Click the Reset Password link under your email address.
Note that you can only change your password on fitbit.com; this option isn't available in the Fitbit app.
If you continue to get password reset emails after changing your password, it's likely that "bad actors" are testing accounts for access; we're doing our best to prevent this annoyance. It's possible that you'll receive these emails in multiple languages.
As long as you created a unique password, your Fitbit account is secure and you can disregard any password-related emails that you didn't initiate. We don’t recommend marking these emails as spam however, since doing so may prevent you from receiving legitimate Fitbit email in the future.
As part of an account takeover, attackers sometimes change the email address associated with the accounts that they access. Contact Customer Support and we'll reset your account if needed.
As previously mentioned, even with your username and password an attacker cannot access your credit card details.
Customers using “Log in with Google” can use multi-factor authentication. We're working on adding native multi-factor authentication for fitbit.com accounts.