GOOGLE-OWNED Nest has warned customers to change their passwords, claiming that they might have been compromised.
However, Nest was keen to assert that the password compromise did not come via a breach of Nest’s own password databases or a leak from a careless employee. Unusually, the company appears to have discovered the issue via a third party, although exactly which one is unclear.
The story emerged when an employee of the advocacy group Internet Society forwarded an advisory email from Nest to an unnamed customer to Jeff Wilbur, director of the Online Trust Alliance, an initiative within the Society. Wilbur published it as a blog post.
Nest has not revealed its methodology and nor is it known how many customers might have received similar warnings, but Wilbur believes the source of the information may have been the Have I Been Pwned? site run by security researcher Troy Hunt.
He points out that a recent addition to the site is the Pwned Passwords service, which can be used to check if a password appears in any of the half-billion credentials known to have been leaked online. Hashed passwords can also be downloaded from the site allowing for bulk analysis.
However it found out, Nest did the right thing in alerting the customer, Wilbur said. He urged other companies that offer online services to be similarly proactive.
“It appears Nest proactively compared their customers’ passwords to a list of known compromised passwords and sent an alert, even going so far as to suggest that the account might be disabled if the password is not changed. This helps stop the spread of illicit access related to compromised passwords while protecting Nest and its customers.”
Limiting the impact of compromised passwords is good for everyone he added, also commending Nest for using the opportunity for a “teachable moment” to advise on the merits of two-factor authentication.
“By following Nest’s lead – conducting proactive password hygiene and utilising multi-factor authentication – we can all limit the ongoing damage caused by passwords compromised in breaches.” µ
Source : Inquirer