What you need to know
- The credentials and user data of 3,600 cameras have been leaked online.
- This includes log-in emails, passwords, and camera nicknames.
- An additional cache belonging to 1,500 users have also been discovered for sale on the dark web. It's not yet clear whether these are from the same data set or if it's an additional leak.
Smart home security firm, Ring has been caught in a cycle of screwup after screwup, but this one might just be the most egregious. The firm has, according to a report from Buzzfeed News, had the data of 3,600 users leaked online. This data included usernames, passwords, and information about the cameras like what they were named — hinting at their location in users' homes. Another leak of 1,500 users was also discovered for sale on the dark web (as reported by TechCrunch.) Much like the earlier leak, the data contained in was much of the same.
While Ring has yet to comment on the latter leak, a spokesperson told Buzzfeed the following regarding the former:
Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network. It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.
Ring's reasoning here is a bit confusing. It's true that on the one hand, you could argue that bad actors may have matched the credentials of Ring users to accounts originating from other breaches. On the other hand, as security researcher Cooper Quintin notes, the information in the dump contained Ring specific information that could not have come from another firm's credential dump. It's unlikely that a Gmail breach, for instance, would contain the nicknames and locations of a ring account. Ring may dispute a data breach through its spokespeople, but its explanation leaves something to be desired.
Smart cameras probably help more than they harm when it comes to home security, but like with all things security-oriented, it's only as strong as its weakest link. Ring's data breaches have, unfortunately, been eroding customer trust in the firm, and its response here can't possibly help matters. The best thing for current Ring users to do right now is to secure their devices as best as they can while the company gets its act together. Enabling two-factor authentication is probably a good start.