Reporting from BuzzFeed News on Thursday revealed the leak of personal information from 3,672 users of Amazon Ring, just two days after a coalition of groups led by privacy advocates Fight for the Future issued a product warning due to the surveillance camera doorbell's security and susceptibility to hackers.
"This gives a potential attacker access to view cameras in somebody's home in some of these cases," Electronic Frontier Foundation security researcher Cooper Quintin told BuzzFeed News, "that's a real serious potential invasion of privacy right there."
SCOOP: Login credentials for **3,672** Ring owners were leaked this week, exposing log-in emails, passwords, time zones, names people give to specific Ring cameras, live camera footage, 30 to 60 day camera history, address, phone #, and payment info:https://t.co/k3aLxUZ7bX— Caroline Haskins (@carolineha_) December 19, 2019
Ring reportedly sent a security alert to customers recommending they change passwords.
According to BuzzFeed News:
Security experts told BuzzFeed News that the format of the leaked data—which includes username, password, camera name, and time zone in a standardized format—suggests it was taken from a company database. They said data obtained via credential stuffing—when previously-compromised emails and passwords are used to get access to other accounts—would likely not display RIng-specific data like camera names or time zone.
After the reporting's publication Thursday, New York Times product review vertical Wirecutter announced on Twitter that it would no longer recommend Ring and urged customers with the device to take extensive security measures.
"In light of recent reports about the security of Ring devices, we're suspending our recommendation of Ring products and updating affected guides as soon as possible," tweeted Wirecutter. "Ring owners should turn on 2FA and update their passwords with a new, previously unused one."
"Amazon is not taking the steps necessary to protect their users," Fight for the Future chief technology officer Ken Mickles said in a statement.
In a statement to BuzzFeed News, Ring denied there was a "data breach" and pinned the blame for the leak on "bad actors."
Also on Thursday, TechCrunch reported that there is a separate cache of over 1,500 Ring passwords on the so-called dark web.
New: Another cache of 1,500 Ring account passwords has been published on the dark web.— Zack Whittaker (@zackwhittaker) December 19, 2019
Only a few hours ago, BuzzFeed News reported on a batch of 3,000 Ring account passwords had also been found online.https://t.co/pRDXa5RmvI
"The list of passwords was uploaded on Tuesday to an anonymous dark web text-sharing site, commonly used to share stolen passwords and illicit materials," according to TechCrunch. "A security researcher found the cache of email addresses and passwords, which can be used to log in to and access the cameras, as well as their time zone and the doorbell's location, such as 'driveway' or 'front door.'"
Fight for the Future's product warning detailed the concerns over the technology's vulnerability to hackers and other malicious actors:
Last week, a man hacked into a Ring camera to watch an 8 year old girl and speak to her. He introduced himself as Santa Claus and then proceeded to have a conversation with the young girl through a Ring camera her parents had installed in her bedroom. Since this chilling incident, there have been new reports daily of other users and their families being harassed by hackers who've broken into their Ring devices.This isn't an isolated incident. Multiple security issues with Ring products, which already raised significant privacy and civil liberties concerns, have been reported over the past several months. Amazon’s Ring doorbells leaked user's Wi-Fi passwords. Ring's Neighbors app discloses users' home addresses. In response to Senate inquiry, Amazon acknowledge they have no safeguards in place to protect users' footage when shared with 3rd parties.
It's not the first controversy for the camera. Ring has been linked to worrying trends in the connection between tech companies and law enforcement, including agreements the company makes with police departments around the country that reportedly do not allow law enforcement officials to disclose.
"There have been a number of pretty stunning breaches with Ring devices in the last few weeks, and it seems to me like Ring is more interested in making friends with and providing information to police than it is in actually protecting its customers' security," said Electronic Frontier Foundation's Quintin.
"For too long, we've been sold a false choice between privacy and security," wrote Evan Greer, campaign director for Fight for the Future, in an opinion piece Tuesday. "It's more clear every day that more surveillance does not mean more safety, especially for the most vulnerable."
"Talk to your family and friends and encourage them to do their research before putting any private company's surveillance devices on your door or in your home," Greer continued. "In the end, companies like Amazon and Google don't care about keeping our communities safe; they care about making money."