Every Password Counts: Why Even Your FitBit Needs a Strong Password

You know that feeling when you’re signing up for something new, and without thinking you just enter your email address and your ‘go-to’ password, and click “Create Account.” Voila, another account, same old password. You’re not worried because it’s just an account that tracks how many steps you take every day. It’s not like you’re protecting your bank account or credit card.

Not so fast, though. Just because that account doesn’t contain “important information” (though it really does, keep reading), doesn’t mean hackers don’t want it. Earlier this year, FitBit was the target of a password-reuse attack, in which hackers used usernames and passwords from prior breaches of other websites (think LinkedIn) to break into FitBit accounts. Those hackers then changed existing usernames and passwords so the original owner could not access their account, and contacted FitBit with complaints of a defective item to receive a free replacement. Hackers then re-sold those replacement FitBits illegally.

Why it matters to you

The impact of hackers breaking into accounts like FitBit is two-fold. First, the data in this supposed ‘throwaway’ account that you didn’t deem worthy of a strong password actually contains personal information such as GPS tracking, common running routes, and sleeping habits. This is information you don’t want in anyone’s hands, particularly anyone with malicious intentions.

Second, each password you have is a gateway to any other account you might have. If you reuse your passwords and they’ve been leaked, it’s only a matter of time before a hacker discovers the other sites where you use that password. If someone hacks your FitBit account and you use the same password for a site like Venmo or Netflix, now they have access to your credit card and billing information. In addition to your location and other personal details. See where this gets a little scary?

What you should do

The reality is, this can happen to anyone, whether you’re the CEO of Facebook or just a regular guy. The number one thing you can do to protect yourself is to create a unique password for each account. Yes, it’s a hassle, but once you put in the initial work to create unique passwords and store them in a password manager like LastPass, the hardest work is behind you, and so will the potential breaches on your accounts.

It’s also ideal to set-up two-factor authentication (2FA) on accounts where it’s an option. With 2FA, you’re designating a second way to confirm your ownership of the account before being admitted access to it. This means that even if your password is stolen in a breach, without the second level of authentication (usually a push notification or SMS code sent to your smartphone), attackers will not be able to access the account.

The bottom line

It’s difficult to know which of your accounts, if any, have been leaked in a past breach, especially if companies themselves don’t know if they’ve had a security issue. The best way to combat that unknown threat is to update all of your accounts, each with a unique password, and add two-factor authentication everywhere you can. Plus, using a password manager like LastPass will keep you organized in your security efforts.


  • Stephen Carpenter says:

    Stopped using Last Pass because of unsolved secdurity issue. If LP is “onj” and I shut down my PC without turning it off (can happen accidently) or leave my PC sleep mode, etc…..and then start using my PC again – LastPass is STILL OPERATING without my having to login. If my PC was stolen…even if logged out (the PC) the thief would have access to my LP vault data.

    Seems to me not very secure.

    Sent a copy my of comments to PC magazine, etc, warning people with LP to make the simple test outlined about. If LP doesn’t shut down automatically if it sees that the computer is being shut down (for any reason) or left in sleep or standby, find another password manager.

    • Amber Gott says:

      Hi Stephen, we offer “autologoff” options in the LastPass Icon > Preferences, and in addition you can remotely logoff if ever needed by going to your LastPass Icon > More options > Advanced > Other sessions, and “killing” those sessions. This should address your concerns but please let us know if we can help further.

  • h. de groot says:

    2FA looks great, but how to do that