(Source: Fitbit Website Article, 22 April 2014)
How is Fitbit keeping my data secure in light of Heartbleed?
After patching our servers, we now require all customers to log in again. The next time you visit the web site or mobile application, you will see the login page. If you can’t remember your password, please follow the instructions at How do I reset or change my fitbit.com password?
In addition we strongly encourage all customers to change their fitbit.com passwords after logging in by visiting https://www.fitbit.com/user/profile/edit.
The nature of the vulnerability makes it difficult to detect malicious behavior that would indicate any customer data or passwords have been compromised. However, we believe these steps are in our customers’ best interests.
Fitbit, like many others, was using an affected version of OpenSSL. We updated all of our severs by 11:00 am (PDT) on April 8th and we are no longer vulnerable. By 5:00 pm (PDT) on the same day, we had also reissued all our certificates with new keys. This is a best-practice safeguard against the possibility of having had our key compromised by this vulnerability.
Note that Fitbit has long configured our servers to utilize forward secrecy whenever possible, further reducing the potential damage that the Heartbleed bug could cause.
Behind the scenes, we have also been busy auditing all of our partner integrations and changing our access keys for any partner that was potentially vulnerable.