There's a hack for that: Fitbit user accounts attacked

Friends connect via Fitbit
Friends connect via Fitbit   

These cybercriminals are trying to step away with some Fitbit gear.

Multiple online accounts belonging to users of the fitness wearable device Fitbit have been penetrated by hackers who changed the email addresses and usernames — and also tried to swindle Fitbit out of replacement items under a user's warranty, according to a new report.

The hackers also gained access to Fitbit users' GPS history, "which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep," according to BuzzFeed News, which first revealed the situation.

A man checks his heart rate on a FitBit Charge HR wearable activity tracker and monitor.
Lisa Werner | Getty Images
A man checks his heart rate on a FitBit Charge HR wearable activity tracker and monitor.

Affected users told the news site that were angry that Fitbit's response to the cyber-breach, saying the company had failed to respond quickly and that Fitbit had been "blaming the users for the security issues."

Fitbit, which denied claims that it hadn't handled the breaches appropriately, refused to reveal how many users have had their accounts compromised other that calling the number a "small proportion" of users, according to BuzzFeed.

A spokeswoman for Fitbit said that the company's computer servers themselves were "not hacked."

"We take the security of our customers' accounts very seriously, so as a precaution, we took measures to reset the passwords of affected users and prompt those users to create new passwords," the spokeswoman said. "To prevent this type of activity in the future, we recommend that customers avoid reusing passwords associated with their email address or any other accounts, as this practice leaves them more vulnerable to this type of malicious behavior. Our investigation found that the accounts that were accessed by an unauthorized party had 'leaked' credentials [email addresses and passwords], compromised previously from other third-party sites, unrelated to Fitbit."

The spokeswoman added that the company has found no evidence that customers' GPS information has been accessed. And, she said, "Customers using 'log in with Google' can make use of multifactor authentication today." The company is also developing a similar multifactor authentication for Fitbit.com accounts with the goal of making that feature available later in 2016."