Insecuring Your Home And Data: Ring Vendor Apparently Hit With Ransomware Attack

from the better-put-a-camera-on-the-data dept

Ring offers security products. Shame they’re not all that secure. Sure, things have improved in recent years, but there was nowhere to go but up.

In December 2019, multiple reports surfaced of Ring cameras — most of them inside people’s houses — being hijacked by malicious idiots who used the commandeered cameras to yell nasty things at people’s children when not just lurking and watching the inner lives of unsuspecting Ring users. The worst of these people performed livestreams of camera hacking, taunting and frightening their targets for the amusement of truly terrible human beings.

The problem here was the default security options for the cameras. Ring did not require anything more than an email address and password to activate accounts, allowing these miscreants to sift through the massive piles of endlessly reused credentials to hijack the cameras. Shortly thereafter, Ring “encouraged” users to enable two-factor authentication. But it did not make this a requirement.

That same month, login credentials for nearly 4,000 Ring owners were exposed. Ring claimed it had suffered no breach, suggesting (rather unbelievably) that people were compiling credentials from other data breaches and compiling lists of verified Ring owners. Whatever the case, the company still wasn’t forcing customers to use strong passwords or enable 2FA, so credentials continued to be easily obtained and exploited.

The hijacked cameras led to a lawsuit in early 2020. A few days after the lawsuit was filed, Ring finally decided it was time to make some changes. It added a privacy dashboard for users to allow them to manage connected devices, block any they didn’t recognize, and control their interactions with law enforcement. And it finally made 2FA opt-out, rather than opt-in.

None of that’s helping much in the latest bad news for Ring. As Joseph Cox reports for Motherboard, hackers claim to have made off with some Ring data and left behind a ransom note.

A ransomware gang claims to have breached the massively popular security camera company Ring, owned by Amazon. The ransomware gang is threatening to release Ring’s data. 

The party behind this appears to be ALPHV, a ransomware gang that — unlike others in this criminal business — created a searchable database of data obtained from these attacks and made it available on the open web.

That’s where this data may soon end up:

“There’s always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo.

Nice. But what data is it? And where did it come from?

Ring claims this isn’t its data, at least not specifically. In a comment to Motherboard, Ring claimed the breached/ransomed party is one of its third-party vendors and not Ring itself. But ALPHV must have something Ring-related and worth ransoming, otherwise it likely would not have called out Ring by name (and logo) on its website. Ring says this vendor does not have access to customer records, but it could have access to information and records Ring may not want to be made public.

Whatever the case, Ring claims to be on top of it. Not exactly comforting, given its history of taking a rather hands-off approach to user security.

Filed Under: , ,
Companies: amazon, ring

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Insecuring Your Home And Data: Ring Vendor Apparently Hit With Ransomware Attack”

Subscribe: RSS Leave a comment

This comment has been flagged by the community. Click here to show it.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:


No. Just no. Section 230 is not magic. Even if, somehow, your mind can get from “website is not liable for what others put on it” to hacking of all things, there’s this little thing called FEDERAL CRIMINAL LAW that criminalizes hacking (see CFAA for example) and is completely unaffected by Section 230.

So, in conclusion, you are wrong, and because your argument is nonexistent I can’t tell whether you are a cretin or just shockingly ignorant.

This comment has been flagged by the community. Click here to show it.

Nimrod (profile) says:

The same people who freak out about their data being “stolen” will EAGERLY hand it all over if you promise them a free order of french fries, and PAY to install all sorts of devices that allow others to monitor them, their families, and even their neighbors in the name of “security”. I suppose this makes perfect sense when you claim to be protected by invisible men in the sky, yet need to hedge that bet by keeping deadly weapons close at hand to “keep youself safe”. It must be rough, living with all of that FEAR…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...