Select Page

Ring Throws Customers Under the Bus After Data Breach

Just a week after hackers broke into a Ring camera in a childs’ bedroom taunting the child and sparking serious concerns about the company’s security practices, Buzzfeed News is reporting that over 3,600 Ring owners’ email addresses, passwords, camera locations, and camera names were dumped online. This Includes cameras recording private spaces inside homes.

This stunning new leak could potentially provide criminals and stalkers with access to view live video feeds from inside and around thousands of Ring customers’ homes, see archived videos, and get the precise location of all Ring devices attached to the compromised account by studying the orientation of the footage and location information attached to each camera. 

Ring has claimed that this attack was the result of credential stuffing, a technique where attackers gather usernames and passwords compromised in another data breach and try them on other websites. Ring claims that the incident is “in no way related to a breach or compromise of Ring’s security.” Ring is attempting to place the blame squarely at the feet of their customers for reusing passwords, using weak passwords, and not turning on two-factor authentication. The truth is that Ring itself deserves the largest share of blame for every attack that their users have suffered.

An email sent to ring users notifying them of the breach.

An email sent to Ring users notifying them of the breach.

We don’t currently know how the Ring account data was acquired but for the moment let’s take Ring at their word that this was a credential stuffing attack. That implies that an attacker tried tens or even hundreds of thousands of username and password combinations on Ring’s website, and Ring didn’t even notice until they were alerted by security researchers.

Best practices in website security provide a few basic guidelines. First, numerous subsequent failed attempts on an account should result in extra scrutiny for logging in to that account. This may include limiting the number of attempts or locking the account until the owner can be contacted. Second, when a password is chosen for an account, this should go through some form of scrutiny: checking whether it is in a list of known compromised passwords and ensuring that it is sufficiently complex. Third, account holders should be able to see (and audit) the list of devices that have logged in to their account. And fourth, companies should encourage users to enable two-factor authentication (2FA) in their account settings.

Ring cameras have extremely sensitive data—live footage adjacent to and often within the home—at their disposal.  This means that Ring should be extra careful with account information, not just employing basic account protections.  And although Ring has 2FA available for accounts, they rarely encourage its use to protect user accounts, with the exception of the email above.  Furthermore, they appear to have not even followed any of the other best practices listed above. And instead of giving users clear channels of remediation, they’re placing the blame for the data breach on their own users.

Ring has demonstrated a pattern of being negligent in enforcing even basic web application security controls. As late as February they sent video feeds to their cloud providers completely unencrypted. Ring has done too little to prevent account breaches, instead opting to blame their customers for any security breaches. Ring claims its primary business is the security of their customers. Yet they’ve failed to follow even basic data security best practices, opting instead to put the burden on their customers.


This post has been republished with permission from a publicly-available RSS feed found on EFF. The views expressed by the original author(s) do not necessarily reflect the opinions or views of The Libertarian Hub, its owners or administrators. Any images included in the original article belong to and are the sole responsibility of the original author/website. The Libertarian Hub makes no claims of ownership of any imported photos/images and shall not be held liable for any unintended copyright infringement. Submit a DCMA takedown request.

-> Click Here to Read the Original Article <-

About The Author

Cooper Quintin

The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows. Visit https://www.eff.org

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Welcome

Bringing together a variety of news and information from some of today’s most important libertarian thought leaders. All feeds are checked and refreshed every hour and pages auto-refresh every 15 minutes. External images are deleted after 30 days.

Time since last refresh: 0 second

Publish Your Own Article

Follow The Libertarian Hub

 

Support Our Work

Support the Libertarian Hub by tipping with Bitcoin!

Weekly Newsletter

Newsletter Signup

Subscribe to our newsletter to receive a weekly email report of the top five most popular articles on the Libertarian Hub!

Weekly Newsletter SignupTop 5 Stories of the Week

Subscribe to our newsletter to receive a weekly email report of the top five most popular articles on the Libertarian Hub!