“Sorry if I startled you,” hacker tells Arizona man through compromised Nest security camera

A real estate agent in Phoenix, Arizona claims a hacker talked to him through his Nest security camera after using his compromised credentials to log into the device.

Unaware that the username and password he used to log into his security cam had been compromised in a breach, Andy Gregg was startled to hear a strange voice in his house. He was in his backyard when he heard the hacker talk, and initially thought a burglar had entered his home. He soon identified the source of the sound: his Nest Cam IQ security camera.

Claiming to be a “white hat” hacker with the Anonymous hacktivist group, the person told Gregg his private information had been compromised (likely in a previous data breach). He even recited a number of passwords Gregg had been using for various online accounts. The hacker had no access to the cam’s video feed, nor did he have Gregg’s location, but said a more motivated hacker wouldn’t have trouble finding that information.

“I’m really sorry if I startled you or anything. I realize this is super unprofessional, and I’m sorry that it’s a little late in the day to do this. We don’t have any malicious intent,” he told Gregg, according to a recording obtained by The Arizona Republic/azcentral.

Asked how he felt after talking to the hacker, Gregg told reporters:

“You basically feel very vulnerable. It feels like you’ve been robbed essentially and somebody’s in your house. They know when you’re there. They know when you’re leaving.”

Google-owned Nest said in a statement that it’s aware of hackers accessing its products using passwords stolen in hacks of other companies, suggesting it has no control past the user’s login point. Nest, however, recommends users set up two-factor authentication on its home appliances for an additional layer of security. Nest appliances, unlike Chinese knockoffs and other cheap IoT devices, don’t come with default login credentials – users have to set up the device with a unique set of credentials that only they know.

Legislators in the U.S. and U.K. have been pushing for “security by design” in smart products. So far, only California seems to be tackling the issue head on.

Gregg’s credentials were likely leaked in one of the major breaches reported in the past year. Bad actors typically buy compromised login data on the dark web and use credential stuffing techniques – where they ‘stuff’ user names and passwords in websites to find a match. Once an account is compromised, hackers try the same combination of username and password to hack different accounts. Since many people use a single set of credentials for various online accounts, it’s not difficult to imagine how others could experience the same scare as Gregg did. In a situation like this, users should immediately change their passwords and enable 2FA (if they haven’t done so already).