A Data Leak Exposed the Personal Info of Over 3,000 Ring Users

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as "bedroom" or "front door." BuzzFeed News reports: Using the log-in email and password, an intruder could access a Ring customer's home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user's cloud storage plan. We don't know how this tranche of customer information was leaked. Ring denies any claims that the data was compromised as a part of a breach of Ring's systems. A Ring spokesperson declined to tell BuzzFeed News when it became aware of the leak or whether it affected a third party that Ring uses to provide its services.

Security experts told BuzzFeed News that the format of the leaked data -- which includes username, password, camera name, and time zone in a standardized format -- suggests it was taken from a company database. They said data obtained via credential stuffing -- when previously-compromised emails and passwords are used to get access to other accounts -- would likely not display Ring-specific data like camera names or time zone. BuzzFeed News was alerted to the leak by a security researcher, who claimed he used a web crawler to search the internet for any data leaks pertaining to Ring accounts. The security researcher found the list of compromised credentials posted anonymously on a text storage site. "Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," a Ring spokesperson said. "It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services."

Is there any safe, minimal alternative to Ring?

[Dirk Becher]

Just a simple talk-back component that connects to my smartphone with audio and maybe video and NOT force feed google or amazon or apple etc. cloud on me?

Re:

[NateFromMich]

https://www.amazon.com/Defende... [amazon.com]

Re:

[WolfgangVL]

What does this thing do that you cant get out of a standard off the shelf security system?

Raspberry Pi running MotionEye with whatever USB camera you've got would be a low cost, low energy alternative running only FOSS and not leaking to big tech. Should be pretty easy to add some back and fourth audio capabilities.

Re:

[larwe]

People always bring up RPi solutions when "private security systems that don't answer to The Man" are being discussed. Unfortunately, besides the fact that there is a *lot* of messing about (by consumer standards) required to get such a solution operational at all, there's both simple utility (functionality) and reliability (handling exceptional conditions, edge cases, etc) that you get with a commercial solution, that you don't get with hand-rolled hackerware.

Commercial cameras of this kind generally reac

Re:

[weilawei]

Bought an off the shelf system, with a TV, for $500 on Amazon. The networking was a bit of a PITA, given the difficulties of securing its chinesium contents, but... it's not expensive to set up your own private system, and keep it on a VPN for access, and firewall it, and make sure there's no unexpected traffic. Past that...

What else do you want, short of moving into Serious Money?

Re:

[larwe]

It's not EXPENSIVE but it is not TURNKEY. See above about setup and maintenance. Also I bet you don't have the ability to integrate it with home automation [without a lot more manual malarkey, anyway]. I bet you don't have a convenient app that will give you push notifications when something happens on your cameras, etc. Again, this is a tradeoff thing.

Re:

[weilawei]

I agree it'd be a little harder to extend, but it speaks pretty standard protocols, uses standard cameras, PTZ or otherwise, and does have an app for push notifications. You can set adjustable motion detection with zones and sensitivity, and pretty much all the stock "security camera" stuff, (notifications via any of 14 gajillion mechanisms, pre-roll, schedules, etc.), except say, facial recognition.

No, it's not 100% turnkey, but it also was a package intended to be plug and play (though unwise from a secur

Re:

[flyingfsck]

"YET ANOTHER hurdle to the list..." - I think that you should return your Geek card.

Re:

[larwe]

It could be argued I had to do that when I became engineering management and not engineering... but seriously, for some things in life, masochism is a suboptimal choice. I love good bread but I don't want to mill my own grain.

Re:

[JohnnyComeLately]

Right. Just because you CAN do something doesn't mean you SHOULD do it. This is what separates good engineers from geniuses. To me this is the classic Android versus Apple argument as well. Sure you can do everything on both, but the Apple is more polished. A 2nd grader and a 72 year old can figure an iPhone out without instructions. As you mention, you can spend hours on it, just to be hacked anyway. Or, just buy the Ring and turn on 2-step authentication like you probably should do anyway (RPi, or

Re:

[AHuxley]

CCTV and a network port of the NVR?

Re:

[gweihir]

Nope. These things are made cheaply or not at all. And cheap IoT devices come with insecure and unreliable software. It basically is a tradition. Now, you _can_ get some similar components, like networked cameras or real ICS sensor readers and actuator drivers that are better, but expect to pay quite a bit more and also expect to put them on a separate, isolated network to get good security.

Re:

[gweihir]

So you think somebody breaking in is not a "hack"? My understanding was that it matters were the attackers get in, no matter where they get the credentials from. This, for example, means Ring is not doing 2FA, not doing anomaly detection (or doing it ineffectively), allow log-in from anywhere and are not in any way prepared for ordinary users re-using credentials. If you think that is acceptable and professional in this day an age, then there is a problem on your side.

So, right back at you.

Re:

[JohnnyComeLately]

OK, so if I grab your spare key under your front door mat, did your Schlage deadbolt get "picked"? No, poor OpSec. If I drop my key fob to my car, and you use the remote open door feature to find it and steal my car. Did GM's laser cut key database get "hacked?" No. GM isn't at fault because I made a mistake. A hack is when someone gets a system to act in an unintended way. Ring is performing as expected: put in a valid username and password, then gain entry. They don't report to have biometrics or

Re: Is there any safe, minimal alternative to Ring

[tttonyyy]

There's a really minimal, very secure alternative.

It's an inert lump of metal hinged at the top that impacts the door, causing an acoustic wave to propagate through the house. No credentials are stored or required.

"The S in IoT stands for security" - Tim Kadlec

Re:

[ElectronicSpider]

Yeah but how can the police tap into those?

Re:

[weilawei]

Like, RTSP clients/servers?

Nothing to do with Ring

[slapyslapslap]

"Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," a Ring spokesperson said. "It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services."

So it has nothing to do with Ring at all. Great headline.

Re:

[b0s0z0ku]

You can choose to leave your phone at home. You can't choose not to be filmed by Amazon's coward-enabled network of cameras.

Re:

[Darth Maul]

Exactly. So someone found out that 3000+ Ring users used the same email and password that were used somewhere else that was leaked, and this is somehow Ring's fault? But most people only read the headline, so now the "fact" that Ring had a data leak is out there. Fake news indeed.

Good. Fuck the fucking fuckers who dismiss privacy

[Fairly Dust]

They want their own privacy but film the public space with cameras that send the data to Amazon. The leak couldn't hit a more deserving crowd.

Re: Good. Fuck the fucking fuckers who dismiss pri

[110010001000]

Uhhhh have you guys even seen a Ring video? It shows the persons front porch. There is no public space here. And yeah this has nothing to do with ring. The data was from credentials that were stolen from other services! And fuck you if you donâ(TM)t like Ring. The rest of us donâ(TM)t want our packages stolen. No one gives a shit about what you guys are doing in life.

Re:

[Anonymous Coward]

Mine shows my front porch, the public street, and the house across the street.

WTF is wrong with you?

[BAReFO0t]

He harms nobody.
YOU, on the orher hand, DO.

Re:

[ArchieBunker]

He's a troll who has gotten really lazy and sloppy. Don't bother.

Re:

[larwe]

1- There is no expectation of privacy (a term of art) on your front porch, assuming it is visible from a public space.

2- It is far from proven that this was in fact a breach of a third party. As the article points out, the list isn't simply user/pass combos - it also includes camera names and timezones. It is CONCEIVABLE that this information would be stored by a third party but it is UNLIKELY. If Amazon even provides API access to Ring cameras that requires a login like this, it is very unlikely the calli

Re: Good. Fuck the fucking fuckers who dismiss pr

[Typhoid supreme]

It's really obvious there are two ring or people in here trying to sculpt the narrative. It's sad really.

Re:

[larwe]

I could believe it, particularly given the hyper aggressive PR management AMZN has used with spinning the police access to Ring footage. It's hard to tell the difference between astroturfers and actual fanbois these days, though. I'm just trying to work with the evidence we've been given and not listen to the "narrative" - because that is always being sculpted by someone :).

(Interestingly, I'm primary inventor on a patent that AMZN seems to be directly using - 10,257,469 "Neighborhood Camera Linking System

Re:

[Errol backfiring]

Only in the USA can a judge tell you what you expect. Privacy comes in levels. For example, if you are alone with your loved one, do you have privacy? A judge would probably say no, because there is someone around. Anyone else would say yes, because that is exactly the privacy level you wanted. If I walk in public, I expect coincidental passers-by to be able to see me, but publicizing my presence is stalking, and therefore s severe breach of my privacy.

Re:

[larwe]

I caveated what I said by noting that it was a term of art, which is itself a term of art. To be more explicit, then: "For Ring customers in the USA, if the camera is covering an area that is visible from a public right of way such as a sidewalk, the video footage is not "private information" because people who are within view of the camera do not have an expectation of privacy since they are visible not only to the camera, but also to anyone walking down the sidewalk. I added the proviso of "video footage"

You'd sell your ass for a cookie, wouldn't you?

[BAReFO0t]

You think THAT is what this is about?

Hint: A camera can do NOTHING AT ALL against a thief. It cannot run or catch him! He will wear a mask, and be gone before the cops arrive. It adds NOTHING to the function of a door lock.
You know what does? The key!
And for that you sold free access to your house(!!) to a more ... select ... gang of theives ... to spy on you not only with a camera, and in person of course, but also with the "smart" speaker^Wsnooper I'm sure you connected it to!!
Great fucking job, you utter

Re:

[larwe]

So, I hear your arguments but need to point out that there are many other use cases for a video doorbell with 2-way audio:

- Knowing who (apart from delivery persons) has visited your house while you were out. In some cases, talking to them. For example I have to step out to pick up something urgent (medicine maybe), and the guy who was supposed to be picking up my craigslist for-sale item arrives. I can tell him "wait 5 minutes I'll be back".

- Dealing with door callers without having to communicate with

Re:

[cusco]

We have ours installed at our cottage, so that if someone rings and we're not there we can find out what is going on. Mostly we use it for our AirBnB guests if they forget the combination to the key box or lock themselves out, and it allows us to know when they've checked in or out if they forget to notify us.

I would be willing to bet this was database sample that a developer walked off with when their contract ended since there are only 3600 entries.

Re:

[Local ID10T]

You know how we solve this here on Germany[?]

We remember your last "solution".

This is an American website, with a primarily American user base, discussing a fuck-up by an American company.

As long as you aren't trying to enslave the rest of Europe and committing genocide, we really don't care what your German solution is.

Soo... all of them?

[BAReFO0t]

Please tell me there's not more than 3000 so insanely retarded people out there.

Also: Clearly the problem is not the data going to evil third parties. As that is its key function. The problem seems to be that it was not Beelzebub Amazon specifically. ;)

Oh well.

[slick7]

So much for the Goofle, Fakebook, Aimlesszon info cartel. Take back your rights. Take back your privacy. Take back your data.

If you dare.


I double dog dare you.