Jawbone, maker of speakers, headsets and personal activity trackers, today began warning users of its MyTALK personalisation service that it has been targeted in an “isolated” attack that has seen names, email addresses and hashed passwords compromised.
In its email, Jawbone states that it doesn’t believe there has been “any unauthorized use of login information or unauthorized access to information,” but it has disabled all old MyTALK passwords to safeguard customer accounts.
The email in full (via Matt Gemmell):
We are writing to inform you of an important security matter. We recently learned that login information for your Jawbone MyTALK account was compromised by an isolated attack on our system.
In the course of this attack, limited user information related to your MyTALK account—specifically your name, email address, and an encrypted version of your password (not the actual letters and numbers in your password)—was compromised. We took immediate action to protect your login information. Based on our investigation to date, we do not believe there has been any unauthorized use of login information or unauthorized access to information in your account.
To help protect your account, we have disabled your old MyTALK password and you can no longer use it. Please reset your MyTALK password by following the instructions below. To help ensure that your information remains safe, we recommend that you do not choose the same password that you use to log in anywhere else, and change your password on other sites where your old MyTALK password is used.
Jawbone also offers a guide, walking those affected through the process of changing their passwords.
Jawbone’s MyTALK service allows owners of its Bluetooth headset to keep them up-to-date with the latest apps, upgrades and features. Applying Software updates, adding new features and changing settings can be managed remotely.
The company uses customer information to personalise the service, making it an ideal target for malicious attackers.
If you have been affected by the attack, now would be the time to amend your password. While passwords have not been stored in plain-text, attackers can still potentially gain access to them.