From banking to gaming to social media, just about everything requires a log-in username and password. Cyber security experts are warning those who use the same credentials twice.
In mid-January, malicious hackers dumped on the dark web 773 million unique emails and 21 million passwords, in what’s been dubbed “Collection #1.”
“It covered many, many different accounts and many services across the Internet,” said Lesley Carhart, Principal Threat Analyst at Dragos, Inc.
Carhart said the Collection #1 drop might be connected to recent reports of Nest devices being hacked.
On January 20, just three days after Collection #1 was made available, a Lake Barrington man said his Nest security camera was compromised by hackers.
“I couldn’t believe that these devices that I had put up in my home to watch over it, my family, were now being used against me,” said Arjun Sud.
Sud also said the thermostat near his 7-month-old son’s room had been turned up to a dangerous 90 degrees.
“The moment I realized what was happening, panic and confusion set in, and my blood truthfully ran cold,” Sud said.
That same day, across the country, a woman living in the Bay Area in California reported her Nest camera started blaring an alarming message
“A man’s voice came on that said North Korea had launched three intercontinental ballistic missiles toward the United States,” homeowner Laura Lyons told The Mercury News. “The missiles were headed toward Los Angeles, Chicago and somewhere in Ohio.”
Lyons described the next five minutes as “sheer terror,” as her family, including her 8-year-old, scrambled on whether or not to seek shelter.
Nest, which is owned by Google, said its systems were not breached. A spokeswoman said the recent reports are based on customers using compromised passwords, exposed through breaches on other websites.
Carhart said once data is dropped online, as seen with Collection #1, cyber criminals can take those stolen emails and passwords and plug them into as many sites as possible in “milliseconds” to fraudulently gain access.
“It’s pretty easy for hackers to automatically check those credentials over time to see which ones work,” Carhart said.
Security researchers said it is imperative that people use different passwords for each website they use. To keep them all straight, Carhart advises customers download and use a password manager.
Enabling multi-factor authentication is another added level of security, Carhart said. That is a method that requires users to confirm their identities prior to log-in, often by providing codes sent to a cell phone or other device.
“It’s not something we’re used to know how to do. We’re used to securing our car, locking our front door. Those are things we grew up with, but this is a new world of security,” Carhart said.
Meantime, Sud said he wishes Nest did more to alert consumers about available security protections and when someone else access his account.
“It was simply a blame game where they blamed me, and they walked away from it,” Sud said.
Since Sud went public with his story, Nest has emailed consumers, acknowledging the problems people have experienced and reminding users on how to secure accounts. They advise enabling 2-step verification, choosing strong passwords and setting up family accounts.
Nest also said its team proactively searches for identity breaches, and “when compromised accounts are found, we alert you and temporarily disable access.” Passwords that appear on compromised lists are also prevented from being used.