News Stay informed about the latest enterprise technology news and product updates.

Fitbit account hack case a cautionary tale for wearables enthusiasts

Your Fitbit, or other wearable device, could be tracking more than just your health and wellness metrics.

Cybersecurity journalist Brian Krebs and Buzzfeed reported that some Fitbit accounts were discovered to have been breached sometime over the holiday season, when Fitbits were among the hottest selling wearables.

According to cybersecurity expert Stephen Cobb of IT security company ESET North America, the incursions were not part of a large-scale breach such as those that have recently hit a few big healthcare organizations, but rather cases in which several individual account passwords were stolen, guessed or brute-forced.

“These particular scammers changed the information on the account as soon as they accessed it, thus preventing the real account holders from logging in,” Cobb wrote on the ESET blog. “The scammers then used the hacked accounts to request new devices to replace ‘faulty’ ones under warranty. Not surprisingly, the higher end devices were targeted.”

While Cobb noted that the Fitbit devices themselves weren’t hacked (at least in these episodes), the warranty scammers “demonstrated why people are concerned about the privacy of data generated by wearable devices, some of which is highly personal.”

In his blog post, Cobb also declared that the entire activity tracker ecosystem needs better security practices and technologies, especially in a world in which consumer devices are increasingly interconnected via the Internet of Things.

Cobb maintained that the wearables sector needs to pay more attention to Privacy by Design (PbD), the Ontario, Canada-bred standard for embedding privacy protection into the design specs of technologies, business practices and physical infrastructures. Check out PbD’s seven foundational principles here.

He also suggested consumers consider the following points when buying and using wearables of any brand:

  • Do an Internet search of the wearable you want to buy and see if the device has been associated with any hacks, frauds or scams
  • Set up your wearable and associated online account using an obscure username and unique password, both of which should be hard to guess
  • Read the privacy policy of the device and app you’re about to plunk down cash for and check to see how serious the vendor is about privacy

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Looking at the bigger picture, this is not unlike politics or any other social issue. Not to be too negative, I'm thinking that if we are gullible enough to wear these devices and not question what information is being gathered and how it's being handled then we probably deserve the outcomes. It's how humans evolve - and learn. Unfortunately, in many cases, we are making decisions based on no information at all or deep-seated gullibility that others are always doing the right things in our best interests when it's actually quite the opposite.