Personal information of more than 3,000 Ring users reportedly exposed in data leak

Thousands of Ring camera users reportedly had sensitive personal information exposed in a recent data leak.

A report published by BuzzFeed News first revealed that 3,672 Ring camera owners had their login credentials compromised, potentially allowing an intruder access to customers’ addresses, telephone numbers as well as payment information.

Additionally, Ring login information grants access to all live camera footage associated with a customer’s account and up to 60 days of video history, depending on the individual’s storage plan.

RELATED: Hacker gains access to family’s home security system, spies on young girl

A security researcher who initially posted about the leak on a cybersecurity-focused subreddit told BuzzFeed News he found a list of the compromised Ring accounts posted anonymously on a text storage site.

Ring explicitly denied that the leak was linked to a breach in its security system and would not confirm how many users were affected by the leak. 

Instead, the company said that “bad actors” online obtained customer login info from a separate, external breach not related to Ring. Then subsequently, the credentials were used to hack users’ accounts.  

FILE: Close-up of Ring doorbell, equipped with a camera and machine learning capabilities, installed outside a home in Los Angeles, California, October 21, 2018. (Smith Collection/Gado/Getty Images)

“Our security team investigated the incident and we have no evidence of an unauthorized intrusion or any sort of compromise of our system and networks,” a Ring spokesperson said. 

“These bad actors who are super sophisticated are harvesting the data that they are getting from other breaches and then they are creating lists.”

The type of cyber attack that Ring referenced is known as “credential stuffing.” But a security expert who analyzed the list said the format of the compromised information, which includes the names of the Ring cameras and rough locations, suggests otherwise. 

“If it was a credential stuffing attack, I don’t understand why the attacker chose to go get that data for each compromised account and add it to their list,” senior staff technologist of the Electronic Frontier Foundation, Cooper Quintin, said. “I don’t totally buy it.” 

While Quintin found that several of the accounts on the list had been previously comprised, he said the leak still raises major security concerns.

“The fact is that Ring presumably didn’t notice somebody attacking their systems trying out thousands of username and password combinations,” Quintin said.
 
The leak is the latest incident involving security issues with the Amazon-owned home security service. 

An attacker recently used the same information from the list to hack into a Tennessee family’s Ring security system and speak to a little girl as Santa Claus in her bedroom. 

Non-profit advocacy group Fight for the Future published a product warning for Ring cameras Tuesday, warning users of the security flaws in the devices.

"Reports indicate there is a growing black market for software to hack ring devices, likely being purchased by stalkers, cyber criminals, and those wishing to do harm to children," the warning cautioned. 

Ring said it has since contacted all users who were affected by the breach and reset their passwords.