Wednesday February 20, 2019

Hackers Use Stolen Credentials from Data Breaches to "Hack" a Nest Thermostat

Jonathan Schisler thought his Amazon Alexa or kids had changed the temperature to 90 degrees on his Nest thermostat. But while scrolling through the device to clear a message about changing the air filter, he noticed that the email address on the device wasn't his wife's. Even his phone app was logged in under another person's name as the owner of the account. Nest says the Schisler family was affected by a data breach from another website where the credentials were initially exposed. Because the Schisler family used the same username and password for multiple websites, the hackers were able to commandeer the Nest thermostat. Taking stolen usernames and passwords from data breaches and inputting them into the login page of random websites is known as "credential stuffing."

Nest said it hasn't been breached. Instead, the company, which is owned by Google, said Schisler's password was breached on another website. For example, he was using the same password for his Nest thermostat that he used for another site. "In nearly all cases, two-factor verification eliminates this type of security risk," a Google spokesperson said. "We take security in the home extremely seriously, and we're actively introducing features that will reject compromised passwords, and allow customers to monitor access to their accounts and track external entities that abuse credentials."

Discussion