In recent weeks, there's been a number of fairly alarming reports coming from Nest users about cameras being taken over by "hackers" who use their access to broadcast potentially terrifying messages (or even asking Alexa speakers to play Justin Bieber). The more tech-savvy among us may recognize that this isn't a security failure on Nest's part, but rather tricksters finding that they're able to log in to strangers' Nest accounts with usernames and passwords that have been gathered and distributed around the internet.
It turns out these stories have gained enough traction for Nest to address the issue: Nest VP Rishi Chandra sent an email to users today to reiterate that the company's devices have not been hacked and that there are some simple tips they can take to increase security. Foremost among those is turning on two-step verification and, of course, using a strong and unique password for your Nest account.
Chandra also clearly walks users through how their cameras could be compromised without it being Nest's fault:
For context, even though Nest was not breached, customers may be vulnerable because their email addresses and passwords are freely available on the internet. If a website is compromised, it's possible for someone to gain access to user email addresses and passwords, and from there, gain access to any accounts that use the same login credentials. For example, if you use your Nest password for a shopping site account and the site is breached, your login information could end up in the wrong hands. From there, people with access to your credentials can cause the kind of issues we've seen recently.
His message also suggests setting up family accounts, rather than sharing an email and password with multiple members of the family who might need access to Nest. Similarly, he also says users should keep their routers secure and up-to-date and to keep eyes peeled for phishing email schemes.
These are all reasonable tips, and one all users should take heed of, but the fact that it was necessary for Nest to send this email in the first place suggests the company let this story get away from it to some extent. Still, there isn't much the company can do about its customers re-using insecure passwords. Indeed, Chandra said in his email that Nest proactively alerts customers. when their credentials are found in data breaches and temporarily disables access to accounts.