Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names
from the Ring-PR-team-looking-to-expand:-masochism/sociopathy-a-plus! dept
The eternal flame that is Ring's dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:
- Engage in law enforcement stings that don't sting anyone
- Teach cops how to bypass warrant requirements
- Sign up a bunch of people for its snitch app
- Use said snitch app to generate "suspicious person" alerts
- Blame users for not securing their cameras properly
- Admit the company places no restrictions on sharing of subpoenaed footage by law enforcement agencies
- Let everyone know it's collecting images of children
The latest bad news for Ring -- via Caroline Haskins of BuzzFeed -- is another PR black eye inflicted on a company whose face that still hasn't healed from the last half-dozen black eyes.
The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”
The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.
Ring says this leak of personal data isn't its fault. The company claims there's been no breach. Maybe so, but the information is out there and presumably being exploited.
And it's kind of hard to take Ring's word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.
“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
Ring's spokesperson did not specify which other "companies" it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. "Unable to assist" is not a proper response to notification of a possible breach, but that's exactly what Ring reps told the researcher when he first informed them of what he had found.
Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and "strong passwords" (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.
This is a garbage company. There's no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it's selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of "we care about our customers" statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credentials, data breach, doorbells, leaks, ring, security
Companies: amazon, ring
Reader Comments
Subscribe: RSS
View by: Time | Thread
Like fighting a fire by tossing on a few logs
“It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
Given said data apparently includes 'log-in emails, passwords, time zones, and the names people give to specific Ring cameras', that excuse just raises a huge freakin question: Exactly why would another company have that data?
If the unnamed company in question got the data without Ring's permission and/or knowledge that would absolutely be a data breach worth mentioning, so the only other explanation is that Ring gave that data to another company, which again raises the questions of 'why?' and 'did they inform users that they would be handing that data to third-parties, and if so what explanation(if any) did they give for handing over everything needed to compromise the cameras they were encouraging people to install in their houses?'
[ link to this | view in chronology ]
Re: Like fighting a fire by tossing on a few logs
I don't want to be interpreted as having anything good to say about the flying hairy big brother clusterfuck that is Ring, much less be seen to defend them, but, honestly, their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.
Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras' actual end users, this probably would explain why Ring doesn't want to get involved in any investigations, or say anything useful that might help.
[ link to this | view in chronology ]
Re: Re: Like fighting a fire by tossing on a few logs
their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.
While I'm sure they would like that to be the case, it simply doesn't fly. There are thousands of people using their product who just had a whole lot of sensitive information made public, like it or not it is their problem, even if only to the extent of finding the source of the leak(and ideally informing the owners of the cameras so they know who had that information other than Ring) and doing what they can to prevent it from happening again.
Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras' actual end users, this probably would explain why Ring doesn't want to get involved in any investigations, or say anything useful that might help.
I rather suspect you've found the likely culprit there, and if anything that just makes it more important that they not be let off the hook and allowed to get away with a vague 'someone else is responsible' excuse, as if Ring is going to be using the various police departments as their sales force then I'd say it's rather important for the public they are trying to 'sell' to to know beforehand that said police might very well have full log-in credentials to the cameras they are persuading people to install in their houses, so that they can make an informed decision about said cameras.
[ link to this | view in chronology ]
Whelp...
What a dumpster fire
[ link to this | view in chronology ]
ring of fire by johnny cash
Why do I keep hearing the Ring of Fire by Johnny Cash?
all together now:
robo-copyright activated
[ link to this | view in chronology ]
Re: ring of fire ♨ by johnny ¢a$h
Eiffel inn two a bern inn ringo phyre ♨
Eye weren't doun, doun, doun
Anderr Flaims when tyre
Ann deet byrns, burnes, bernes
The ringo phyre ♨
The ringo feier♨
[ link to this | view in chronology ]
Re: Re: ring of fire ♨ by johnny ¢a$h
O Tay!
[ link to this | view in chronology ]
Hard to have a data breach of your network when you treat user privacy as a sellable commodity or a donut supply for cops.
[ link to this | view in chronology ]
Why on earth would anyone have password stored anywhere?
Every half competent authentication software only stores salted and hashed password.
Unless maybe ring is suggesting that nearly 4000 people 'shared' (possibly unintentionally) their passwords with malicious software/sites/people. (which seems... doubtful to me)
[ link to this | view in chronology ]
"Security team"
"Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “
The security team is not particularly skilled perhaps? Would be interesting to see the teams credentials...
[ link to this | view in chronology ]
citizens/customers who own its products
own its products
You sure about that?
[ link to this | view in chronology ]
whomp whomp whomp
They bought a device that sold out their privacy and now they want their privacy back?
Whomp Whomp Whomp
[ link to this | view in chronology ]
What's next for ring ... possibly a password manager?
[ link to this | view in chronology ]
Certain people/groups have a hardon against Ring ever since the company partnered with law enforcement. For the most part, all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly. I suppose Ring should force 2FA from now on, or perhaps put a huge banner on the setup screen to caution against reusing a password from another site. No matter how secure they make their system, the weak-link is always going to be the users, which is what is being proven over and over again. But, yeah, go blame Ring instead, get your ad-clicks and page hits for shitty click-bait articles.
[ link to this | view in chronology ]
Force 2FA?
When it's cameras on and in your house, yes, maybe they should.
P.S. You're a dick.
[ link to this | view in chronology ]
Re:
So what user error, specifically, resulted in the credentials and device names of nearly 4000 Ring devices being exposed?
[ link to this | view in chronology ]
Re:
The magic code strikes again!
[ link to this | view in chronology ]
Re:
all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly
You state this as though you had supporting data.
Ring should force 2FA
news item talks about hacks bypassing this
https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
Perhaps you have a vested interest in Ring? Maybe you're that person in those ads ... lol
[ link to this | view in chronology ]
Re:
Agree with Ed. While I see all these hysterical posts none of them provide any additional details about why they come to the conclusion that Ring was at fault. RIng has repeatedly pointed out that the reported incidents were investigated and were found to be caused due to use of same passwords as other accounts that were indeed breached. It is not that hard to take emails and passwords that have been collected from other breached sites and tested against Ring to compile a list of "hacked" Ring accounts. Did any of the journalists bother to check what really happened or did they prefer to just be happy with the clicks from their sensational reporting?
[ link to this | view in chronology ]
Re: Re:
Forgot to add... yes I work for Ring... No wait, I actually own the company. Now go ahead and take your cheap shots rather than ask the tough questions on what really happened.
[ link to this | view in chronology ]
Re: Re:
The hysteria (bad word choice btw) is most likely due to the recent news items about ring intrusions. Their analysis, ignoring the bias, states these instances were due to bad password management - ok.
There are security related reports that point out several security related shortcomings of the device that are unrelated to user password management. These reports did not seem "hysterical" to me, but I suppose it is subjective.
idk what "any of the journalists" did to fact check their piece, do most of them share such info with their readers?
It did seem a bit sensational, as in wtf, when I saw the story on the tv where some ass was harassing a child in their own room. But the talking heads should tone it down a notch? Is that what you are suggesting?
Not everyone is a l33t haxor like yourself.
[ link to this | view in chronology ]
Remember folks, the "S" in "IoT" stands for "Security."
[ link to this | view in chronology ]
I don't blame users for not securing their ring doorbell. I blame them for being stupid enough to ever consider installing one. Just because something is possible, doesn't mean it's a smart thing to do.
[ link to this | view in chronology ]
Hmm...
So it was an authorized intrusion/compromise, then?
[ link to this | view in chronology ]
I'm surprised that none of these hackers have taken a more subtle approach and just played spooky sound effects at night to make the owners think their homes are haunted.
[ link to this | view in chronology ]