Amazon is facing backlash over its Ring home security camera and “smart home” product after a data leak exposed the personal information of over 3,000 users. The data breach included emails, passwords and other sensitive information that would allow hackers to access live camera footage from inside every room of people’s homes. This leak could potentially provide criminals and stalkers with access to view live video feeds from inside and around thousands of Ring customers’ homes, see archived videos, and get the precise location of all Ring devices attached to the compromised account by studying the orientation of the footage and location information attached to each camera.
Using the log-in email and password, an intruder could access a Ring customer’s home
address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.
Ring has claimed that this attack was the result of credential stuffing, a technique where
attackers gather usernames and passwords compromised in another data breach and try them on other websites. “Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
The Ring spokesperson added that the company will notify customers who were affected and require them to reset their passwords. Ring does not alert users of attempted log-in from an unknown IP address, or tell users how many others are logged into an account at one time. Because of this, there is no obvious way to know whether any bad actors have logged into people’s compromised Ring accounts without their consent.
This data leak is the latest in a string of incidents involving compromised Ring accounts. The home surveillance camera company was acquired by Amazon in 2018 and has been targeted by hackers who used the cameras to harass children and families while documenting their actions on podcast livestreams. In November, cybersecurity company BitDefender published a white paper describing a now-resolved vulnerability that allowed hackers to physically intercept communications between Ring Video Doorbell Pros and a person’s Wi-Fi network.
The company has also received criticism when it was revealed that over 700 police departments in the US have signed contracts with Ring. These contracts give police access the company’s law enforcement portal, which allows police to request camera footage from residents without receiving a warrant. In exchange, Ring often gives police free cameras, and it offers police more free cameras if they convince enough people to download its neighborhood watch app, Neighbors. In October, a group of 30 civil rights groups published a joint letter demanding that law makers stop the police partnership, calling it a threat to civil rights and liberties.