A colleague just received an “Urgent Security Alert – Action Requested” email from Nest. At first glance it looked like either a phishing attempt or one of the way-too-often breach notifications we all receive these days. Instead, it was a real alert notifying him that the password he uses for his Nest account had been compromised in a data breach – not at Nest but somewhere else. Nest encouraged him to update to a unique password and enable two-step verification (additional authentication beyond a password, usually referred to as multi-factor authentication).
While it’s not clear exactly how Nest determined that the password was compromised, it could have come from security researcher Troy Hunt’s recently updated Pwned Passwords service (part of his “have i been pwned?” site). Via this service, you can enter a password to see if it matches more than half a billion passwords that have been compromised in data breaches. A hashed version of the full list of passwords can also be downloaded to do local or batch processing. (“Pwned” is video gamer talk for “utterly defeated,” as in “Last time we played, I pwned him.”)
Hunt created this service in response to the National Institute of Standards and Technology (NIST) Digital Identity Guidelines. Released in June 2017, these guidelines recommend that user passwords be compared against known breached passwords so that users can be encouraged to create unique passwords not already known to bad actors (see section 5.1.1, “Memorized Secrets”).
Nest does the right thing
The Internet Society commends this action by Nest for several reasons. Though Nest is known for their IoT products and its actions track several principles in the Online Trust Alliance initiative’s IoT Trust Framework, this situation highlights best practices that any organization providing online accounts should follow. Last week, Twitter made similar recommendations to its users, though for a different reason (they were concerned that internal un-hashed log files might have exposed users’ passwords).
Some key takeaways for companies offering Internet-based services:
- Protect your customers. It appears Nest proactively compared their customers’ passwords to a list of known compromised passwords and sent an alert, even going so far as to suggest that the account might be disabled if the password is not changed. This helps stop the spread of illicit access related to compromised passwords while protecting Nest and its customers.
- Protect the Internet. By limiting the impact of compromised passwords, this action also helps prevent traditional computers, and mobile and IoT devices from being used to spread malware or as part of a botnet to attack Internet sites or infrastructure.
- Raise the bar. Not only did Nest demand that the password be changed, they also used this “teachable moment” to remind customers about the availability of two-factor authentication, which makes it even harder for bad actors to compromise an account.
And if you’re a user of Internet-based services, here are some recommended actions that the Nest situation surfaced:
- Check your passwords. Visit the Pwned Passwords site and see if the passwords you use are “on the list.” If so, change them to strong, unique passwords. As always, be careful to make sure you’re on the right site since malicious actors are always trying to create lookalike sites to extract sensitive information.
- Enable multi-factor authentication. This additional authentication beyond a password comes in a variety of forms but today is most often a code sent by text that must be entered for access to the relevant service. Many services today offer this option and it will help prevent bad guys from infiltrating your accounts even if they acquire your password.
- Be wary. Phishing is still a real danger and not all alerts will be legitimate, so be careful when responding to them. Nest’s use of “nest-email.com” for the sending domain adds to the suspicion factor (something like “email.nest.com” would be better since many phishers use lookalike domains). Regardless of the domain used for email, a best practice is to visit the known site directly vs clicking a link in the message.
By following Nest’s lead – conducting proactive password hygiene and utilizing multi-factor authentication – we can all limit ongoing damage caused by passwords compromised in breaches.