Amazon’s Ring is having a very bad week. BuzzFeed News first reported today that login credentials for thousands of Ring camera owners have been published online, including 3,672 sets of emails, passwords, time zones, and the names given to specific Ring cameras (“front door” or “kitchen,” for example). Later today, TechCrunch reported on a set of 1,562 credentials, also consisting of unique email addresses, passwords, time zones, and a camera’s named location. It’s unclear if there’s overlap in the two datasets, but TechCrunch said that its data “appears to be a similar-looking data set to that which [BuzzFeed News] obtained.”
In the hands of a bad actor, this information could potentially be used to log into your Ring account, watch live footage from your Ring cameras, and access additional personal data like your address, phone number, and some payment information. And you’d never know, unless you block it from happening by setting up two-factor authentication.
It’s not clear where the leaked credentials came from
Despite offering video doorbells and cameras that are marketed as better security for your home, Ring has struggled with a number of security flaws of its own, as has been reported on frequently as of late. In this case, it’s not exactly clear where the leaked credentials came from, but Ring claims its own security hasn’t been breached.
Here’s a statement Ring shared with The Verge:
Ring has not had a data breach. Our security team has investigated these incidents, and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network. It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.
But Ring also isn’t denying that some users have been exposed — it tells The Verge it’s proactively notified affected customers, and it’s resetting their passwords out of caution. The company also says it has contacted all customers to encourage them to enable two-factor authentication, change their passwords, and follow its recommended best practices for keeping their accounts secure.
However, of the four people BuzzFeed News spoke with whose information was part of the data leak, two said that Ring didn’t notify them that their data was compromised. TechCrunch reported that none of the people it spoke to had been contacted by Ring.
Are these just recycled passwords, or is something else going on?
Last week, there were many reports of hackers harassing people by accessing their Ring devices, with one group of hackers apparently even livestreaming themselves, and it’s unclear where those hackers got users’ logins. In a blog post last Thursday, Ring gave a response that’s quite similar to the statement it shared with The Verge, saying that it had “no evidence of an unauthorized intrusion or compromise of Ring’s systems or network” and suggesting that hackers may reused passwords for different services that may have been leaked elsewhere.
Regardless of exactly how Ring credentials are getting leaked, if you have a Ring device, there are steps you can take to make your account more secure, such as creating a unique account password and — yes — setting up two-factor authentication. Here’s our guide on how to do those.