Jawbone accounts compromised by hackers – personal info accessed, passwords disabled

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Jawbone Jambox speakerJawbone, makers of Bluetooth headsets, fitness bracelets, and neat Jambox portable speakers, has warned that hackers managed to break into its systems, and accessed the names, email addresses and encrypted passwords of users.

In an email sent to affected users, Jawbone explained that the hack affected an unspecified number of customers who had registered a MyTALK account (used to customise devices and receive firmware updates).

Email from Jawbone

Jawbone said it had disabled the MyTALK passwords of affected customers, and was keen to emphasise that it did not have any evidence that the hackers had abused the stolen information:

Sign up to our free newsletter.
Security news, advice, and tips.

"..we do not believe there has been any unauthorized use of login information or unauthorized access to information in your account."

What remains a mystery, however, is how many Jawbone customers were impacted and just how Jawbone stored the encrypted passwords. For instance, there’s no indication that the hashed passwords were salted to introduce a random factor that would make them significantly harder to crack.

Naturally, some Jawbone customers are concerned and the firm is posting the same terse response from its Twitter account users with questions over and over again:

"The security of our customer’s information is a top priority for us, and we'll continue to work to keep it safe."

A few concerned customers, however, got a more personalised reply:

Tweet response from Jawbone

Impacted Jawbone customers are being asked to reset their passwords.

Of course, just choosing a new password isn’t enough. You should also ensure that the old password (the one that may now be in the hands of hackers) is not being used by you *anywhere* else on the internet.

After all, the bad guys could now try to use your stolen email address and Jawbone password combination to unlock other online accounts. That could be disastrous for if, for instance, you were using the same password on – say – your actual email account!

Users have to get into the habit of always using hard-to-crack passwords, and to obey the golden rule of never having the same password on different websites.

At the time of writing I have been unable to find any official mention on Jawbone’s website about the security breach, although a thread has popped up on their support forum.

If you are a Jawbone user, my advice is to change your password. Make it a strong, hard-to-guess one. And if you had been using your old Jawbone password elsewhere on the net – you are going to need new passwords for those sites too.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.