Recent warranty fraud attempts on Fitbit have occurred in the last few months, with customer service being barraged with emails from customers claiming that their device is not working as expected and demanding replacements.
The emails came from the email address registered with the end user with correct information on the device, therefore customer service approved many requests and sent new devices to the address provided by the fraudster. Fitbit however took note of large data caches of customer accounts posted on Pastebin. As the company wasn't breached, this was strange to them.
Brian Krebs noted that cyber-criminals are selling hacked Fitbit user accounts on underground forums. Fitbit told Krebs that the data seemed to be coming from a few sources: Customer computers were compromised by password-stealing malware and by customers that use the same login credentials across a multitude of websites.
“Basically, they start a support case with customer service, but before they do that, they change the email address on the account they hacked to an address that they control, and at that point they are the customer,” Marc Bown, security chief of Fitbit said. “For a lot of customers, this ends up creating a pretty negative experience.”
Fitbit said they'll lock an account that is used in suspicious ways or having a large amount of login requests from a small group of internet addresses. They will also likely offer a two-factor authentication option this year as well.