[BreachExchange] Amazon’s Ring has been blaming reused passwords, but now thousands of logins have leaked
Destry Winant
destry at riskbasedsecurity.com
Mon Dec 23 10:19:48 EST 2019
https://www.theverge.com/2019/12/19/21030545/ring-leaked-personal-data-amazon-video-doorbell-camera-security-login-credentials
Amazon’s Ring is having a very bad week. BuzzFeed News first reported
today that login credentials for thousands of Ring camera owners have
been published online, including 3,672 sets of emails, passwords, time
zones, and the names given to specific Ring cameras (“front door” or
“kitchen,” for example). Later today, TechCrunch reported on a set of
1,562 credentials, also consisting of unique email addresses,
passwords, time zones, and a camera’s named location. It’s unclear if
there’s overlap in the two datasets, but TechCrunch said that its data
“appears to be a similar-looking data set to that which [BuzzFeed
News] obtained.”
In the hands of a bad actor, this information could potentially be
used to log into your Ring account, watch live footage from your Ring
cameras, and access additional personal data like your address, phone
number, and some payment information. And you’d never know, unless you
block it from happening by setting up two-factor authentication.
IT’S NOT CLEAR WHERE THE LEAKED CREDENTIALS CAME FROM
Despite offering video doorbells and cameras that are marketed as
better security for your home, Ring has struggled with a number of
security flaws of its own, as has been reported on frequently as of
late. In this case, it’s not exactly clear where the leaked
credentials came from, but Ring claims its own security hasn’t been
breached.
Here’s a statement Ring shared with The Verge:
Ring has not had a data breach. Our security team has investigated
these incidents, and we have no evidence of an unauthorized intrusion
or compromise of Ring’s systems or network. It is not uncommon for bad
actors to harvest data from other company’s data breaches and create
lists like this so that other bad actors can attempt to gain access to
other services.
But Ring also isn’t denying that some users have been exposed — it
tells The Verge it’s proactively notified affected customers, and it’s
resetting their passwords out of caution. The company also says it has
contacted all customers to encourage them to enable two-factor
authentication, change their passwords, and follow its recommended
best practices for keeping their accounts secure.
However, of the four people BuzzFeed News spoke with whose information
was part of the data leak, two said that Ring didn’t notify them that
their data was compromised. TechCrunch reported that none of the
people it spoke to had been contacted by Ring.
ARE THESE JUST RECYCLED PASSWORDS, OR IS SOMETHING ELSE GOING ON?
Last week, there were many reports of hackers harassing people by
accessing their Ring devices, with one group of hackers apparently
even livestreaming themselves, and it’s unclear where those hackers
got users’ logins. In a blog post last Thursday, Ring gave a response
that’s quite similar to the statement it shared with The Verge, saying
that it had “no evidence of an unauthorized intrusion or compromise of
Ring’s systems or network” and suggesting that hackers may reused
passwords for different services that may have been leaked elsewhere.
Regardless of exactly how Ring credentials are getting leaked, if you
have a Ring device, there are steps you can take to make your account
more secure, such as creating a unique account password and — yes —
setting up two-factor authentication. Here’s our guide on how to do
those.
More information about the BreachExchange
mailing list