An Arizona real estate agent was shocked when a voice started broadcasting from his Nest security camera recently, addressing him directly.
Andy Gregg was in his backyard when he heard the voice, belonging to someone who claimed to be a “white hat hacker” from Canada, Gregg told the Arizona Republic. A white hat hacker is a hacker who exposes security vulnerabilities for the greater good, rather than their own benefit.
Videos by VICE
Gregg recorded the conversation that followed. In the video, a voice can be heard over the speaker telling Gregg that he was contacting him in the creepiest way possible to warn him about the security risks of his internet-connected camera.
“We don’t have any malicious intent, but I’m just here to kind of let you know so that no one else, like any black-hat hackers, follow,” the voice can be heard saying. “There are so many malicious things somebody could do with this.”
It’s worth noting that the “hack” here was not particularly sophisticated, if it went down as described.
Gregg told the newspaper that the hacker told him his private information had been “compromised,” and recited to Gregg a password that he had used for multiple websites. Since Gregg used the same password for his Nest, and apparently didn’t use two-factor authentication, it would have been easy for anyone with that information to log in remotely to the camera.
There have been numerous data breaches that leaked usernames, emails, and passwords for millions of people, and databases containing such information are bought and sold online, and Nest said to the Arizona Republic in a statement that it was aware passwords stolen in hacks of other companies have been used to access its cameras.
The creepy incident is a reminder of why it’s important to set up basic security and privacy protections, such as using a password manager (so your password is different for every account), and setting up two-factor authentication (so even if someone steals your password, they can’t log in to your account very easily). To help you set up two-factor authentication, see this website and keep in mind that experts don’t consider SMS a secure second factor anymore. Instead, use an app such as Google Authenticator, DUO Mobile, or Authy.
You can easily check if your information was included in any data leaks by visiting Have I Been Pwned. Motherboard’s extensive guide to not getting hacked also gives you some easy-to-follow steps on how to protect yourself online. It takes just a few minutes to make sure your information is more secure—unless you’re set on using your smart home devices to meet some new Canadian hacker friends, that is.