Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names

from the Ring-PR-team-looking-to-expand:-masochism/sociopathy-a-plus! dept

The eternal flame that is Ring’s dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:

The latest bad news for Ring — via Caroline Haskins of BuzzFeed — is another PR black eye inflicted on a company whose face that still hasn’t healed from the last half-dozen black eyes.

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people’s Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

Ring says this leak of personal data isn’t its fault. The company claims there’s been no breach. Maybe so, but the information is out there and presumably being exploited.

And it’s kind of hard to take Ring’s word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.

“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

Ring’s spokesperson did not specify which other “companies” it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. “Unable to assist” is not a proper response to notification of a possible breach, but that’s exactly what Ring reps told the researcher when he first informed them of what he had found.

Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and “strong passwords” (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.

This is a garbage company. There’s no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it’s selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of “we care about our customers” statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.

Filed Under: , , , , ,
Companies: amazon, ring

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names”

Subscribe: RSS Leave a comment
25 Comments
This comment has been deemed insightful by the community.
That One Guy (profile) says:

Like fighting a fire by tossing on a few logs

“It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

Given said data apparently includes ‘log-in emails, passwords, time zones, and the names people give to specific Ring cameras’, that excuse just raises a huge freakin question: Exactly why would another company have that data?

If the unnamed company in question got the data without Ring’s permission and/or knowledge that would absolutely be a data breach worth mentioning, so the only other explanation is that Ring gave that data to another company, which again raises the questions of ‘why?’ and ‘did they inform users that they would be handing that data to third-parties, and if so what explanation(if any) did they give for handing over everything needed to compromise the cameras they were encouraging people to install in their houses?’

DocGerbil100 says:

Re: Like fighting a fire by tossing on a few logs

I don’t want to be interpreted as having anything good to say about the flying hairy big brother clusterfuck that is Ring, much less be seen to defend them, but, honestly, their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.

Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras’ actual end users, this probably would explain why Ring doesn’t want to get involved in any investigations, or say anything useful that might help.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

Re: Re: Like fighting a fire by tossing on a few logs

their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.

While I’m sure they would like that to be the case, it simply doesn’t fly. There are thousands of people using their product who just had a whole lot of sensitive information made public, like it or not it is their problem, even if only to the extent of finding the source of the leak(and ideally informing the owners of the cameras so they know who had that information other than Ring) and doing what they can to prevent it from happening again.

Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras’ actual end users, this probably would explain why Ring doesn’t want to get involved in any investigations, or say anything useful that might help.

I rather suspect you’ve found the likely culprit there, and if anything that just makes it more important that they not be let off the hook and allowed to get away with a vague ‘someone else is responsible’ excuse, as if Ring is going to be using the various police departments as their sales force then I’d say it’s rather important for the public they are trying to ‘sell’ to to know beforehand that said police might very well have full log-in credentials to the cameras they are persuading people to install in their houses, so that they can make an informed decision about said cameras.

Ed (profile) says:

Certain people/groups have a hardon against Ring ever since the company partnered with law enforcement. For the most part, all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly. I suppose Ring should force 2FA from now on, or perhaps put a huge banner on the setup screen to caution against reusing a password from another site. No matter how secure they make their system, the weak-link is always going to be the users, which is what is being proven over and over again. But, yeah, go blame Ring instead, get your ad-clicks and page hits for shitty click-bait articles.

Anonymous Coward says:

Re: Re:

all of the supposed issues now being hysterically broadcast simply are because of ignorant users not securing the devices properly
You state this as though you had supporting data.

Ring should force 2FA
news item talks about hacks bypassing this
https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/

Perhaps you have a vested interest in Ring? Maybe you’re that person in those ads … lol

Another Ring User says:

Re: Re:

Agree with Ed. While I see all these hysterical posts none of them provide any additional details about why they come to the conclusion that Ring was at fault. RIng has repeatedly pointed out that the reported incidents were investigated and were found to be caused due to use of same passwords as other accounts that were indeed breached. It is not that hard to take emails and passwords that have been collected from other breached sites and tested against Ring to compile a list of "hacked" Ring accounts. Did any of the journalists bother to check what really happened or did they prefer to just be happy with the clicks from their sensational reporting?

Anonymous Coward says:

Re: Re: Re:

The hysteria (bad word choice btw) is most likely due to the recent news items about ring intrusions. Their analysis, ignoring the bias, states these instances were due to bad password management – ok.

There are security related reports that point out several security related shortcomings of the device that are unrelated to user password management. These reports did not seem "hysterical" to me, but I suppose it is subjective.

idk what "any of the journalists" did to fact check their piece, do most of them share such info with their readers?

It did seem a bit sensational, as in wtf, when I saw the story on the tv where some ass was harassing a child in their own room. But the talking heads should tone it down a notch? Is that what you are suggesting?

Not everyone is a l33t haxor like yourself.

Rekrul says:

The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people’s Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

I’m surprised that none of these hackers have taken a more subtle approach and just played spooky sound effects at night to make the owners think their homes are haunted.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...