Nest warns user of password breach - but not from its own systems

Smarthome vendor did the right thing says the Internet Society

Nest, the Google-owned manufacturer of home automation devices best known for its smart thermostat, has warned a customer of a password breach, urging him to change it and deploy two-factor authentication (2FA).

Before other Nest users rush to update theirs in fear of yet another mass compromise, though, the breach did not occur through an attack of Nest's own password databases or a leak from a careless employee. Unusually, the company appears to have discovered the issue via a third party, although exactly which one is unclear.

The story emerged when an employee of the advocacy group Internet Society forwarded the advisory email from Nest to the unnamed customer to Jeff Wilbur, director of the Online Trust Alliance, an initiative within the Society. Wilbur published it as a blog post.

Nest has not revealed its methods and nor is it known how many customers received similar warnings, but Wilbur believes the source of the information may have been the Have I Been Pwned? site run by security researcher Troy Hunt. He points out that a recent addition to the site is the Pwned Passwords service, which can be used to check if a password appears in any of the half-billion credentials known to have been leaked online. Hashed passwords can also be downloaded from the site allowing for bulk analysis.

However it found out, Nest did the right thing in alerting the customer, Wilbur said. He urged other companies that offer online services to be similarly proactive.

"It appears Nest proactively compared their customers' passwords to a list of known compromised passwords and sent an alert, even going so far as to suggest that the account might be disabled if the password is not changed. This helps stop the spread of illicit access related to compromised passwords while protecting Nest and its customers."

Limiting the impact of compromised passwords is good for everyone he added, also commending Nest for using the opportunity for a "teachable moment" to advise on the merits of 2FA.

"By following Nest's lead - conducting proactive password hygiene and utilising multi-factor authentication - we can all limit the ongoing damage caused by passwords compromised in breaches."