A Data Leak Exposed the Personal Info of Over 3,000 Ring Users (buzzfeednews.com) 40
The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as "bedroom" or "front door." BuzzFeed News reports: Using the log-in email and password, an intruder could access a Ring customer's home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user's cloud storage plan. We don't know how this tranche of customer information was leaked. Ring denies any claims that the data was compromised as a part of a breach of Ring's systems. A Ring spokesperson declined to tell BuzzFeed News when it became aware of the leak or whether it affected a third party that Ring uses to provide its services.
Security experts told BuzzFeed News that the format of the leaked data -- which includes username, password, camera name, and time zone in a standardized format -- suggests it was taken from a company database. They said data obtained via credential stuffing -- when previously-compromised emails and passwords are used to get access to other accounts -- would likely not display Ring-specific data like camera names or time zone. BuzzFeed News was alerted to the leak by a security researcher, who claimed he used a web crawler to search the internet for any data leaks pertaining to Ring accounts. The security researcher found the list of compromised credentials posted anonymously on a text storage site. "Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," a Ring spokesperson said. "It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services."
Security experts told BuzzFeed News that the format of the leaked data -- which includes username, password, camera name, and time zone in a standardized format -- suggests it was taken from a company database. They said data obtained via credential stuffing -- when previously-compromised emails and passwords are used to get access to other accounts -- would likely not display Ring-specific data like camera names or time zone. BuzzFeed News was alerted to the leak by a security researcher, who claimed he used a web crawler to search the internet for any data leaks pertaining to Ring accounts. The security researcher found the list of compromised credentials posted anonymously on a text storage site. "Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," a Ring spokesperson said. "It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services."
Is there any safe, minimal alternative to Ring? (Score:2)
Just a simple talk-back component that connects to my smartphone with audio and maybe video and NOT force feed google or amazon or apple etc. cloud on me?
Re: (Score:3)
Re: (Score:2)
What does this thing do that you cant get out of a standard off the shelf security system?
Raspberry Pi running MotionEye with whatever USB camera you've got would be a low cost, low energy alternative running only FOSS and not leaking to big tech. Should be pretty easy to add some back and fourth audio capabilities.
Re: (Score:2)
Commercial cameras of this kind generally reac
Re: (Score:2)
Bought an off the shelf system, with a TV, for $500 on Amazon. The networking was a bit of a PITA, given the difficulties of securing its chinesium contents, but... it's not expensive to set up your own private system, and keep it on a VPN for access, and firewall it, and make sure there's no unexpected traffic. Past that...
What else do you want, short of moving into Serious Money?
Re: (Score:2)
Re: (Score:2)
I agree it'd be a little harder to extend, but it speaks pretty standard protocols, uses standard cameras, PTZ or otherwise, and does have an app for push notifications. You can set adjustable motion detection with zones and sensitivity, and pretty much all the stock "security camera" stuff, (notifications via any of 14 gajillion mechanisms, pre-roll, schedules, etc.), except say, facial recognition.
No, it's not 100% turnkey, but it also was a package intended to be plug and play (though unwise from a secur
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
Nope. These things are made cheaply or not at all. And cheap IoT devices come with insecure and unreliable software. It basically is a tradition. Now, you _can_ get some similar components, like networked cameras or real ICS sensor readers and actuator drivers that are better, but expect to pay quite a bit more and also expect to put them on a separate, isolated network to get good security.
Re: (Score:2)
So you think somebody breaking in is not a "hack"? My understanding was that it matters were the attackers get in, no matter where they get the credentials from. This, for example, means Ring is not doing 2FA, not doing anomaly detection (or doing it ineffectively), allow log-in from anywhere and are not in any way prepared for ordinary users re-using credentials. If you think that is acceptable and professional in this day an age, then there is a problem on your side.
So, right back at you.
Re: (Score:2)
Re: Is there any safe, minimal alternative to Ring (Score:2)
There's a really minimal, very secure alternative.
It's an inert lump of metal hinged at the top that impacts the door, causing an acoustic wave to propagate through the house. No credentials are stored or required.
"The S in IoT stands for security" - Tim Kadlec
Re: (Score:1)
Re: (Score:2)
Like, RTSP clients/servers?
Nothing to do with Ring (Score:2, Informative)
So it has nothing to do with Ring at all. Great headline.
Re: (Score:2)
Re: (Score:2)
Exactly. So someone found out that 3000+ Ring users used the same email and password that were used somewhere else that was leaked, and this is somehow Ring's fault? But most people only read the headline, so now the "fact" that Ring had a data leak is out there. Fake news indeed.
Good. Fuck the fucking fuckers who dismiss privacy (Score:2)
Re: Good. Fuck the fucking fuckers who dismiss pri (Score:1)
Uhhhh have you guys even seen a Ring video? It shows the persons front porch. There is no public space here. And yeah this has nothing to do with ring. The data was from credentials that were stolen from other services! And fuck you if you donâ(TM)t like Ring. The rest of us donâ(TM)t want our packages stolen. No one gives a shit about what you guys are doing in life.
Re: (Score:1)
Mine shows my front porch, the public street, and the house across the street.
WTF is wrong with you? (Score:2)
He harms nobody.
YOU, on the orher hand, DO.
Re: (Score:2)
He's a troll who has gotten really lazy and sloppy. Don't bother.
Re: (Score:3)
2- It is far from proven that this was in fact a breach of a third party. As the article points out, the list isn't simply user/pass combos - it also includes camera names and timezones. It is CONCEIVABLE that this information would be stored by a third party but it is UNLIKELY. If Amazon even provides API access to Ring cameras that requires a login like this, it is very unlikely the calli
Re: Good. Fuck the fucking fuckers who dismiss pr (Score:2)
Re: (Score:2)
(Interestingly, I'm primary inventor on a patent that AMZN seems to be directly using - 10,257,469 "Neighborhood Camera Linking System
Re: (Score:2)
Re: (Score:2)
You'd sell your ass for a cookie, wouldn't you? (Score:2)
You think THAT is what this is about?
Hint: A camera can do NOTHING AT ALL against a thief. It cannot run or catch him! He will wear a mask, and be gone before the cops arrive. It adds NOTHING to the function of a door lock. ... select ... gang of theives ... to spy on you not only with a camera, and in person of course, but also with the "smart" speaker^Wsnooper I'm sure you connected it to!!
You know what does? The key!
And for that you sold free access to your house(!!) to a more
Great fucking job, you utter
Re: (Score:2)
- Knowing who (apart from delivery persons) has visited your house while you were out. In some cases, talking to them. For example I have to step out to pick up something urgent (medicine maybe), and the guy who was supposed to be picking up my craigslist for-sale item arrives. I can tell him "wait 5 minutes I'll be back".
- Dealing with door callers without having to communicate with
Re: (Score:2)
We have ours installed at our cottage, so that if someone rings and we're not there we can find out what is going on. Mostly we use it for our AirBnB guests if they forget the combination to the key box or lock themselves out, and it allows us to know when they've checked in or out if they forget to notify us.
I would be willing to bet this was database sample that a developer walked off with when their contract ended since there are only 3600 entries.
Re: (Score:2)
You know how we solve this here on Germany[?]
We remember your last "solution".
This is an American website, with a primarily American user base, discussing a fuck-up by an American company.
As long as you aren't trying to enslave the rest of Europe and committing genocide, we really don't care what your German solution is.
Soo... all of them? (Score:2)
Please tell me there's not more than 3000 so insanely retarded people out there.
Also: Clearly the problem is not the data going to evil third parties. As that is its key function. The problem seems to be that it was not Beelzebub Amazon specifically. ;)
Oh well. (Score:2)
If you dare.
I double dog dare you.