Fitbit Responds to Heartbleed Vulnerability

On Monday, April 7, 2014, information was made public regarding a major vulnerability in the OpenSSL technology that encrypts much of the internet’s traffic. More information about this vulnerability is available at The Wire.

After patching our servers, we now require all customers to log in again. The next time you visit the web site or mobile application, you will see the login page. If you can’t remember your password, please follow the instructions at How do I reset or change my fitbit.com password?

In addition we strongly encourage all customers to change their fitbit.com passwords after logging in by visiting https://www.fitbit.com/user/profile/edit.

Note that if you change your password on a third-party account that is linked to your Fitbit account (such as Twitter, Facebook, Runkeeper, and other partners), you may need to relink that account with your Fitbit account.

You can review the third-party applications you’ve authorized by visiting https://www.fitbit.com/user/profile/apps.

The nature of the vulnerability makes it difficult to detect malicious behavior that would indicate any customer data or passwords have been compromised. However, we believe these steps are in our customers’ best interests.

More information

Fitbit, like many others, was using an affected version of OpenSSL. We updated all of our severs by 11:00 am (PDT) on April 8th and we are no longer vulnerable. By 5:00 pm (PDT) on the same day, we had also reissued all our certificates with new keys. This is a best-practice safeguard against the possibility of having had our key compromised by this vulnerability.

Note that Fitbit has long configured our servers to utilize forward secrecy whenever possible, further reducing the potential damage that the Heartbleed bug could cause.

Behind the scenes, we have also been busy auditing all of our partner integrations and changing our access keys for any partner that was potentially vulnerable.