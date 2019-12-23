Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names
The eternal flame that is Ring's dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:
- Engage in law enforcement stings that don't sting anyone
- Teach cops how to bypass warrant requirements
- Sign up a bunch of people for its snitch app
- Use said snitch app to generate "suspicious person" alerts
- Blame users for not securing their cameras properly
- Admit the company places no restrictions on sharing of subpoenaed footage by law enforcement agencies
- Let everyone know it's collecting images of children
The latest bad news for Ring -- via Caroline Haskins of BuzzFeed -- is another PR black eye inflicted on a company whose face that still hasn't healed from the last half-dozen black eyes.
The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”
The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.
Ring says this leak of personal data isn't its fault. The company claims there's been no breach. Maybe so, but the information is out there and presumably being exploited.
And it's kind of hard to take Ring's word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.
“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
Ring's spokesperson did not specify which other "companies" it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. "Unable to assist" is not a proper response to notification of a possible breach, but that's exactly what Ring reps told the researcher when he first informed them of what he had found.
Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and "strong passwords" (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.
This is a garbage company. There's no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it's selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of "we care about our customers" statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.
Like fighting a fire by tossing on a few logs
“It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
Given said data apparently includes 'log-in emails, passwords, time zones, and the names people give to specific Ring cameras', that excuse just raises a huge freakin question: Exactly why would another company have that data?
If the unnamed company in question got the data without Ring's permission and/or knowledge that would absolutely be a data breach worth mentioning, so the only other explanation is that Ring gave that data to another company, which again raises the questions of 'why?' and 'did they inform users that they would be handing that data to third-parties, and if so what explanation(if any) did they give for handing over everything needed to compromise the cameras they were encouraging people to install in their houses?'
[ reply to this | link to this | view in chronology ]
Re: Like fighting a fire by tossing on a few logs
I don't want to be interpreted as having anything good to say about the flying hairy big brother clusterfuck that is Ring, much less be seen to defend them, but, honestly, their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.
Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras' actual end users, this probably would explain why Ring doesn't want to get involved in any investigations, or say anything useful that might help.
[ reply to this | link to this | view in chronology ]
Re: Re: Like fighting a fire by tossing on a few logs
their reply seems to me to be more like a "nothing to do with us, guv" generic PR disclaimer, than an indicator of anything resembling a particularised suspicion of a third party.
While I'm sure they would like that to be the case, it simply doesn't fly. There are thousands of people using their product who just had a whole lot of sensitive information made public, like it or not it is their problem, even if only to the extent of finding the source of the leak(and ideally informing the owners of the cameras so they know who had that information other than Ring) and doing what they can to prevent it from happening again.
Also, the thought occurs that, if this data has been leaked by a third party, it might well be by local police departments, or their third parties, rather than by anyone directly associated with Ring itself. Given that Ring clearly sees local police as their main customer base, rather than the cameras' actual end users, this probably would explain why Ring doesn't want to get involved in any investigations, or say anything useful that might help.
I rather suspect you've found the likely culprit there, and if anything that just makes it more important that they not be let off the hook and allowed to get away with a vague 'someone else is responsible' excuse, as if Ring is going to be using the various police departments as their sales force then I'd say it's rather important for the public they are trying to 'sell' to to know beforehand that said police might very well have full log-in credentials to the cameras they are persuading people to install in their houses, so that they can make an informed decision about said cameras.
[ reply to this | link to this | view in chronology ]
Whelp...
What a dumpster fire
[ reply to this | link to this | view in chronology ]
ring of fire by johnny cash
Why do I keep hearing the Ring of Fire by Johnny Cash?
all together now:
robo-copyright activated
[ reply to this | link to this | view in chronology ]
Re: ring of fire ♨ by johnny ¢a$h
Eiffel inn two a bern inn ringo phyre ♨
Eye weren't doun, doun, doun
Anderr Flaims when tyre
Ann deet byrns, burnes, bernes
The ringo phyre ♨
The ringo feier♨
[ reply to this | link to this | view in chronology ]
Re: Re: ring of fire ♨ by johnny ¢a$h
O Tay!
[ reply to this | link to this | view in chronology ]
Hard to have a data breach of your network when you treat user privacy as a sellable commodity or a donut supply for cops.
[ reply to this | link to this | view in chronology ]
Why on earth would anyone have password stored anywhere?
Every half competent authentication software only stores salted and hashed password.
Unless maybe ring is suggesting that nearly 4000 people 'shared' (possibly unintentionally) their passwords with malicious software/sites/people. (which seems... doubtful to me)
[ reply to this | link to this | view in chronology ]
"Security team"
"Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “
The security team is not particularly skilled perhaps? Would be interesting to see the teams credentials...
[ reply to this | link to this | view in chronology ]
citizens/customers who own its products
own its products
You sure about that?
[ reply to this | link to this | view in chronology ]
whomp whomp whomp
They bought a device that sold out their privacy and now they want their privacy back?
Whomp Whomp Whomp
[ reply to this | link to this | view in chronology ]
