Nest Labs, a division of Google, recently discovered a list of email addresses and passwords that had been published online. As part of their ongoing commitment to protect their customers from hackers, Nest continuously monitors databases found online of stolen or leaked passwords. When they found that some of their customers’ passwords were listed on a phishing website, they sent out an email to customers.

Nest Password Leak

Consumers remain the weakest link

Security experts all agree that the weakest link when it comes to internet security is the consumer. People click on suspicious links that download a virus or worm onto their device. They also frequently use the same password across multiple accounts. Many users visit sites that are unsafe where they may be exposed to malware. Often, consumers use the same password for years. All these practices make it very easy for hackers to steal passwords then break into various accounts.

Nest takes proactive stance

When Nest found the databases of leaked passwords, they sent out emails to all of their customers that read in part:

“Nest monitors publicly leaked password databases and checks our own databases for matches. We’ve found that your email and password were included in a list of accounts shared online. Common causes of password theft are falling victim to phishing emails or websites, malware, and password reuse on other websites which may have been compromised.”

The letter goes on to give instructions to users about what to do next and this applies to anyone who suspects that their password has been stolen. Instructions are below:

  1. Sign in to your Nest Account (bank account, credit card account, etc.) immediately.
  2. Navigate to the account management screen and find the item that says, “Reset Password.”
  3. Select a new password. Be sure to use numbers, letters, capital letters and symbols. An example of a good password would be: 57Rop*82!@HK. A password like this is much harder for crooks to decipher. An example of a weak password would be: time1234. This password would be easy for hackers to learn.
  4. Click “Save” to save the new password. Be sure to make a note of the password.
  5. You can also go to the log-in screen of any account including Nest and click on “Forgot Password.” This will initiate a procedure where you are sent a code (usually as a text message). Enter that code where prompted, then proceed to create your new password.

Nest reminded its users that unless they did log on and change their password within a set length of time, the company might disable access to their account. Often, users put off changing passwords so the company most likely felt like it was necessary to include this veiled threat to shut down the account until a new password was chosen.

How to change your Nest password using the app

The company also included instructions for changing the password via the Nest app and these are given below for your convenience:

  • On the Nest app home screen, tap the Menu icon.
  • Select the Account icon.
  • Select “Manage account,” then “Account security,” then “Account password.
  • Enter your current password and your new password, then tap “Save changes.”

How to use Two-Factor Verification (2FA)

Nest also offers the option of 2-step (2-factor) verification, which can add a layer of protection to any account. This is very important to do for financial accounts and other accounts like Nest where your home, family or money might be at risk. The instructions for adding 2-step verification are given below:

  • On the Nest app’s home screen, select the Menu icon at the top.
  • Select Account.
  • Select “Manage account,” then “Account security.”
  • Select “2-step verification.” Then tap the switch to toggle 2-step verification on.
  • Follow the prompts to enter your password, phone number, and the unique verification code sent to your phone.

Cyber theft increasing globally

Many experts are now recommending that customers add 2-step verification to all their online accounts. The increase in hacking and phishing schemes worldwide has alarmed many security experts, as well as consumers. It has become commonplace to read that one of your favorite stores or most trusted brands has lost millions of data records to hackers.

This fact has spawned a new generation of security experts and advocacy groups whose purpose is to stem the tide of the growing number of cyber thefts. One of these groups called the Internet Society was the first to discover the Nest breach when they stumbled across an email from Nest to one of its customers. The society forwarded the email to the Online Trust Alliance and they published it as a blog post. Once this occurred, the story made international news.

How Nest learned of the breach

Though Nest has not revealed how they learned about the compromised passwords, it is believed that they regularly check a site called “Have I Been Pwned?” which is run by Troy Hunt, a security researcher. The site can be used to check whether any of your passwords have been stolen or leaked online. It includes half a billion passwords and other credentials stolen from consumers all over the world.

About Nest Labs

Nest Labs, now a division of Google, provides home automation tools that are programmable, sensor-driven and self-learning. Using your home’s Wi-Fi system, Nest products can be controlled either at home or remotely. These products include smoke detectors, thermostats, indoor and outdoor security cameras, security systems, lights, and other common household appliances.

Nest was founded in 2010 by Matt Rogers and Tony Fadell, engineers who formerly worked for Apple. The company grew quickly to 130 employees and within just a few short years, Nest Labs had grown to 280 employees worldwide. In 2014, Google acquired the company for an estimated $3.2 billion. Today, the company has over 1,200 employees. They recently built a state-of-the-art engineering center in Seattle, Washington.