Insecuring Your Home And Data: Ring Vendor Apparently Hit With Ransomware Attack
from the better-put-a-camera-on-the-data dept
Ring offers security products. Shame they’re not all that secure. Sure, things have improved in recent years, but there was nowhere to go but up.
In December 2019, multiple reports surfaced of Ring cameras — most of them inside people’s houses — being hijacked by malicious idiots who used the commandeered cameras to yell nasty things at people’s children when not just lurking and watching the inner lives of unsuspecting Ring users. The worst of these people performed livestreams of camera hacking, taunting and frightening their targets for the amusement of truly terrible human beings.
The problem here was the default security options for the cameras. Ring did not require anything more than an email address and password to activate accounts, allowing these miscreants to sift through the massive piles of endlessly reused credentials to hijack the cameras. Shortly thereafter, Ring “encouraged” users to enable two-factor authentication. But it did not make this a requirement.
That same month, login credentials for nearly 4,000 Ring owners were exposed. Ring claimed it had suffered no breach, suggesting (rather unbelievably) that people were compiling credentials from other data breaches and compiling lists of verified Ring owners. Whatever the case, the company still wasn’t forcing customers to use strong passwords or enable 2FA, so credentials continued to be easily obtained and exploited.
The hijacked cameras led to a lawsuit in early 2020. A few days after the lawsuit was filed, Ring finally decided it was time to make some changes. It added a privacy dashboard for users to allow them to manage connected devices, block any they didn’t recognize, and control their interactions with law enforcement. And it finally made 2FA opt-out, rather than opt-in.
None of that’s helping much in the latest bad news for Ring. As Joseph Cox reports for Motherboard, hackers claim to have made off with some Ring data and left behind a ransom note.
A ransomware gang claims to have breached the massively popular security camera company Ring, owned by Amazon. The ransomware gang is threatening to release Ring’s data.
The party behind this appears to be ALPHV, a ransomware gang that — unlike others in this criminal business — created a searchable database of data obtained from these attacks and made it available on the open web.
That’s where this data may soon end up:
“There’s always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo.
Nice. But what data is it? And where did it come from?
Ring claims this isn’t its data, at least not specifically. In a comment to Motherboard, Ring claimed the breached/ransomed party is one of its third-party vendors and not Ring itself. But ALPHV must have something Ring-related and worth ransoming, otherwise it likely would not have called out Ring by name (and logo) on its website. Ring says this vendor does not have access to customer records, but it could have access to information and records Ring may not want to be made public.
Whatever the case, Ring claims to be on top of it. Not exactly comforting, given its history of taking a rather hands-off approach to user security.
Filed Under: alphv, login credentials, ransomware
Companies: amazon, ring
Comments on “Insecuring Your Home And Data: Ring Vendor Apparently Hit With Ransomware Attack”
The breached is one of their third party vendors. Mmhmm… And where do they provide a list of their third party vendors? Nowhere? I see.
This comment has been flagged by the community. Click here to show it.
login
https://ehallpasses.info/
This comment has been flagged by the community. Click here to show it.
These crimes brought to you by Section 230.
Re:
No. Just no. Section 230 is not magic. Even if, somehow, your mind can get from “website is not liable for what others put on it” to hacking of all things, there’s this little thing called FEDERAL CRIMINAL LAW that criminalizes hacking (see CFAA for example) and is completely unaffected by Section 230.
So, in conclusion, you are wrong, and because your argument is nonexistent I can’t tell whether you are a cretin or just shockingly ignorant.
Re: These crimes brought to you by Section 230.
That comment brought to you by a fucking idiot.
Re:
Jhon.
Section 230 does not immunize anyone from crime.
Amazon is free to toss your scam boons out. Hell, didn’t you admit you “wrote” thise scam books in order to sell info?
If anyth8ng, you should have been the one arrested for that.
Naive or just click-baity?
Are you really so naive that you don’t understand why a thief would target Ring/Amazon over some small obscure third-party vendor, even if there is no actual Ring data involved? Or, it just gets more clicks if you implicate Ring/Amazon?
This comment has been flagged by the community. Click here to show it.
Hi Tim Cushing,
Thanks for sharing this information
The same people who freak out about their data being “stolen” will EAGERLY hand it all over if you promise them a free order of french fries, and PAY to install all sorts of devices that allow others to monitor them, their families, and even their neighbors in the name of “security”. I suppose this makes perfect sense when you claim to be protected by invisible men in the sky, yet need to hedge that bet by keeping deadly weapons close at hand to “keep youself safe”. It must be rough, living with all of that FEAR…
Nice post by the way. I loved the article very much. It was so informative and interesting
Ring should have taken security more seriously from the start. They have been plagued by scandals and lawsuits for their lax security practices. Now they are facing a ransomware attack that could expose their data. This is not good for their reputation or their customers’ trust.