The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”
Using the log-in email and password, an intruder could access a Ring customer’s home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.
We don’t know how this tranche of customer information was leaked. Ring denies any claims that the data was compromised as a part of a breach of Ring’s systems. A Ring spokesperson declined to tell BuzzFeed News when it became aware of the leak or whether it affected a third party that Ring uses to provide its services.
“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
It is not clear what “other company's data breaches” the spokesperson was referring to.
The Ring spokesperson added that the company will notify customers who were affected and require them to reset their passwords. An affected customer told BuzzFeed News that they received a notice on Dec. 18.
Security experts told BuzzFeed News that the format of the leaked data — which includes username, password, camera name, and time zone in a standardized format — suggests it was taken from a company database. They said data obtained via credential stuffing —when previously-compromised emails and passwords are used to get access to other accounts — would likely not display RIng-specific data like camera names or time zone.
“One could argue that the person maybe got these through credential stuffing,” Cooper Quintin, a security researcher and senior staff technologist at the Electronic Frontier Foundation, told BuzzFeed News. “But if that was the case, why did that person go through and add the information about names of camera and time zones?”
Quintin described the leak as “stunning.”
“This gives a potential attacker access to view cameras in somebody’s home in some of these cases — that’s a real serious potential invasion of privacy right there,” he said.
BuzzFeed News was alerted to the leak by New Zealand security researcher Nick Shepherd, who claimed he used a web crawler to search the internet for any data leaks pertaining to Ring accounts. Shepherd found the list of compromised credentials posted anonymously on a text storage site.
Shepherd called Ring’s customer support number, according to a call log screenshot shared with BuzzFeed News. He said that a representative told him that they were “unable to assist.” After posting about the leak on a cybersecurity-focused subreddit on Dec. 16, a person who claimed to be a member of Ring's security team messaged him. According to screenshots shared with BuzzFeed News, the self-identified member of Ring's security team said that the leak represented compromised data that the company previously did not know about.
Shepherd said he wasn’t surprised that Ring’s data was exposed, because Wi-Fi-enabled devices smart home devices are inherently vulnerable to hacks and data leaks.
"It’s an open door, and they just don’t realize it."
"It’s an open door,” Shepherd said, “and they just don’t realize it.”
BuzzFeed News verified the leak by confirming the exposed information with four individuals whose log-ins were compromised. When contacted, all of these individuals said that Ring did not notify them that their log-ins were exposed. None of them had two-factor authentication enabled on their Ring accounts.
Ring does not alert users of attempted log-in from an unknown IP address, or tell users how many others are logged into an account at one time. Because of this, there is no obvious way to know whether any bad actors have logged into people’s compromised Ring accounts without their consent.
“I never thought that this would happen with a security company,” one of the affected users told BuzzFeed News. “I’m a little taken back from it.”
“If there was a breach all that information is out there — and you had a list of the cameras and camera names — they need to alert customers, and that information needs to be taken care of,” the affected user added.
All of the affected users said that they had changed their passwords, but that they had no plans to uninstall their security cameras or stop using Ring’s products and services.
“This illustrates that when you bring an internet-connected camera into your home, you’re also potentially bringing anyone on the internet into your home,” Quintin said.
Over 700 police departments in the US have signed contracts with Ring. These contracts give police access the company’s law enforcement portal, which allows police to request camera footage from residents without receiving a warrant. In exchange, Ring often gives police free cameras, and it offers police more free cameras if they convince enough people to download its neighborhood watch app, Neighbors.
This data leak is the latest in a string of incidents involving compromised Ring accounts. The home surveillance camera company, which Amazon acquired in 2018, has been targeted by hackers, who used the cameras to harass children and families while documenting their actions on podcast livestreams. In November, cybersecurity company BitDefender published a white paper describing a now-resolved vulnerability that allowed hackers to physically intercept communications between Ring Video Doorbell Pros and a person's Wi-Fi network.
“There have been a number of pretty stunning breaches with Ring devices in the last few weeks,” Quintin said, “and it seems to me like Ring is more interested in making friends with and providing information to police than it is in actually protecting its customers' security.”