
A Data Leak Exposed the Personal Information of over 3k Ring Users - Sami_Lehtinen
https://www.buzzfeednews.com/carolinehaskins1/data-leak-exposes-personal-data-over-3000-ring-camera-users
======
roywiggins
This seems important:

"Ring does not alert users of attempted log-in from an unknown IP address, or
tell users how many others are logged into an account at one time. Because of
this, there is no obvious way to know whether any bad actors have logged into
people’s compromised Ring accounts without their consent."

I can understand not having 2FA turned on by default, but a _bare minimum_ for
this kind of service would be to alert users when someone successfully logs in
from a new device.

~~~
BelleOfTheBall
I've recently had a similar problem with Spotify. My account was stolen. In
part because I did not have 2FA turned on... because the app doesn't offer it
for some reason. And, in part, because whoever logged into my account from a
different IP and device supposedly didn't trip any of their security measures.
So I was never even told that someone took hold of my account until I tried to
get on.

It's baffling to me that any popular app wouldn't have 2FA (or any app, for
that matter.)

~~~
caf
I'm curious as to how stolen Spotify accounts are monetised? What's the value
of them?

~~~
dylz
[https://www.ebay.com/sch/i.html?_&_nkw=spotify+warranty&_sac...](https://www.ebay.com/sch/i.html?_&_nkw=spotify+warranty&_sacat=0)

All keylogged/phished/etc.

~~~
caf
This is fascinating - the individual prices are so low that they really must
be moving a great number to turn a worthwhile profit.

------
qw3rty01
Even if it was the official article title, "Data Leak" is extremely
misleading; the attack is called credential stuffing and is unrelated to any
sort of breach on Ring's end.

Edit: finished reading the article, and the entire text is just as misleading
as the title, credential stuffing happens all the time and really isn't
newsworthy.

~~~
geofft
> _credential stuffing happens all the time and really isn 't newsworthy._

If a bad thing happens all the time and people are unaware of it, calling
attention to it is entirely newsworthy.

To you, as a jaded security person who understands that there are systemic
risks to any network-connected service and nobody is good at defending against
them, perhaps it's perfectly normal. To a customer who is making the decision
between buying a network-connected doorbell for their security and buying a
perfectly normal offline doorbell, the fact that credential stuffing happens
all the time is a thing they need to hear about!

(Also, there are straightforward ways to resist these attacks, such as "You
must use 2FA," "You can only pair a new device with your Ring account while
it's in physical proximity to your Ring device," "You must use either 2FA or
physical proximity," "The app will generate a password for you and won't let
you use an existing one, feel free to write it down on a piece of paper," etc.
A home security system _should_ be more paranoid than a politics forum or a
meme generator at keeping accounts secure.)

~~~
dylz
I really hope physical proximity is also some kind of handshake with the
device, and not spoofable in-app "GPS"

~~~
funcDropShadow
I hope physical proximity does not mean standing in front of the door.
Outside.

------
sp332
Just after this came out, another batch of 1,500 Ring credentials was
discovered. [https://techcrunch.com/2019/12/19/ring-doorbell-passwords-
ex...](https://techcrunch.com/2019/12/19/ring-doorbell-passwords-exposed/)

"of those we spoke to none had been contacted by Ring — contrary to the
company’s claim."

------
saisundar
It's fascinating how Ring's business model benefits from local crime
prevalence, which in turn might lead people to invest in home security.

It is also fascinating how media companies are likely to pounce on the
slightest of flaws(some malignant, and some innocuous) with either Nest or
Ring, since it feeds on people's sense of security/safety again, and thus are
likely to lead to more clicks.

~~~
farisjarrah

        It's fascinating how Ring's business model benefits from local crime prevalence, which in turn might lead people to invest in home security.
    
    

That's an interesting point. The whole Ring ecosystem is kinda boosted by
Amazon's other business too: leaving boxes on peoples front porches to be
stolen. Amazon really knows how to grow a circular ecosystem huh?

~~~
zorpner
A friend of mine recently made the excellent point that Ring also provides
Amazon with surveillance footage of their own delivery service employees.
Synergy!

------
BEEdwards
Not referenced in this article, but something I've been thinking about while
reading about the security kerfuffle, why are people putting cameras in their
kids rooms?

I get the exterior, but why are they spying on their kids? I can't think of a
security reason for it, it's just super controlling and creepy.

~~~
nwallin
Baby monitors are a thing and have been for close to 80 years. Now that
cameras and displays are cheap video is on there too.

~~~
BEEdwards
I don't mean baby monitors, I mean cameras in the room of an 8 year old.

[https://www.nbcnews.com/news/us-news/man-hacks-ring-
camera-8...](https://www.nbcnews.com/news/us-news/man-hacks-ring-
camera-8-year-old-girl-s-bedroom-n1100586)

~~~
all_blue_chucks
So that they can be watched from elsewhere in the house...

~~~
mulmen
Obviously, but the question is _why_ parents would do this.

~~~
all_blue_chucks
Probably because they have multiple rooms in their homes.

~~~
mulmen
That doesn’t really answer the question. If technology allows unlimited
monitoring of your children where would you draw the line? Do you want to
raise people who accept constant surveillance as a fact of life? They’re home,
give them their own space.

~~~
all_blue_chucks
In my own house I have cameras wherever I find them convenient. A playroom is
not a bedroom or a bathroom.

------
DyslexicAtheist
J Cox did some analysis of the dumps, writing:

 _" I just ran these in a script I wrote to process them through
HaveIBeenPwned in bulk. Every single email except ~20 was already compromised.
These Ring dumps going around (+Buzzfeed prob) are highly likely password
reuse; not evidence to suggest internal DB"_

source
[https://twitter.com/josephfcox/status/1207864924459978752](https://twitter.com/josephfcox/status/1207864924459978752)

------
uhoh-itsmaciek
If you hold sensitive customer data, you should idiot-proof your security,
even if you can't help the better idiots. It's silly to even call these users
idiots, when the service could implement several features to make them safer--
whether or not they are idiots is totally beside the point. They're customers.

------
alpb
I'm curious if Ring operates a different security engineering team than the
rest of Amazon. Because Amazon.com or AWS would not get hacked; not like this.

~~~
paggle
Given what I’ve seen of acquisitions the teams remain distinct _decades_
later.

------
kerng
Amazon's response seems quite defensive. They are typically a bit black box
when it comes to security issues.

~~~
oh_sigh
Maybe it's because literally every password protected service is vulnerable to
users reusing passwords on other insecure sites.

It would be like a website writing an expose on how ford trucks are killing
hundreds of drivers and expecting a response from ford, but when you read the
details it's because users are driving their trucks into brick walls,
something that literally every car on the market is susceptible to.

~~~
kerng
MFA?

~~~
JoBrad
They do have MFA, but only via SMS.

------
EddieCPU
“An intruder could also access live camera footage from all active Ring
cameras associated with an account, as well as a 30- to 60-day video history,
depending on the user’s cloud storage plan.”

If its stored in the Cloud, then it ain't private.

------
Havoc
Ring sure is doing a whole lot of good for privacy awareness

...by showing how not to do it

