When hackers gain unauthorized access to user accounts, they may have a number of different goals in mind, but generally end up causing harm to the hacked user. In a recent attack on Fitbit user accounts, however, hackers used the access they gained to strike a blow on Fitbit. The attack came in the form of warranty fraud.
According to Buzzfeed, who first broke the story, an unknown number of Fitbit customers accounts were recently compromised to commit warranty fraud. Attackers changed the registered users email addresses and passwords, making it impossible for the real account owners to log in. Hackers were then using compromised accounts to report "faulty" devices and demand new ones.
Fitbit admitted their service department had recently been bombarded with complaints from registered users that their devices were not working properly but since the requests came from the email addresses listed on the accounts, the company assumed they were legitimate complaints.
It wasn't until the company noticed large caches of data from customer accounts being posted to Pastebin that they began to investigate a possible breach.
When the company first saw the data dumps on Pastebin, it was initially thought that Fitbit's security had somehow been breached and that user account data was being leaked. But examining the data more carefully, it became apparent that these customers’ accounts were not taken over due to a breach of Fitbit, but of other e-commerce providers.
Despite the countless number of account breaches we read about each day in the news, people still tend to be creatures of habit, using the same password across multiple accounts. When a user’s account is hacked attackers will often check to see if the login information works for other websites or accounts. In this case, the target was Fitbit users.
In addition to dumping the Fitbit user’s email account information, the data also included each users fitness tracker model, as well as information about the last time the user had synced the device. These Fitbit user account data dumps were being sold on underground forums, Brian Krebs of Krebs on Security revealed.
Once hackers gained access to the Fitbit user information, they then went in and changed the email address associated with the account to their own email so they could go in and make the fraudulent claim.
Fitbit has since found ways to help prevent this kind of warranty fraud, by assigning risk scores to all requests.
“If we see an account that was used in a suspicious way or a large number of login requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information,” Fitbit’s CSO, Marc Bown told Krebs.
In addition, the company is considering offering two-factor authentication to users to further reduce problems with account hijacking but fears it may be of little help if users choose not to enable it.
“I’m not sure the type of user who is using the same password at every site is the great target for that [two-factor authentication],” Bown told Krebs. “But we should offer it, and it’s something we plan to offer in 2016 natively.”