The Facts About Password Security

You may have seen reports recently about our customers’ Ring accounts. Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorized intrusion or compromise of Ring’s systems or network. However, even though Ring’s systems were not compromised, we do want to share how these issues occurred, and some easy steps you can take to further protect your Ring account and other online accounts.

Here’s what happened.

Malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts.

When people reuse the same username and password on multiple services, it’s possible for malicious actors to gain access to many accounts.

We’ve taken appropriate action to block these malicious actors and contacted all affected users directly.

Here’s what you can do now.

Even if your credentials were not obtained by malicious actors, we strongly encourage everyone follow these password best practices.

  • Two-Step Verification.

    • We’ve made a second layer of verification mandatory for all users when they log into their Ring accounts. This added authentication helps prevent unauthorized users from gaining access to the Ring account.
    • Learn more
  • Add Shared Users.

    • Don’t provide your login information to others. If you want to share access to your Ring devices with other people, simply add them as a Shared User. This allows you to maintain control of your account. And if you currently have Shared Users, please ask them to follow the password best practices below.
    • Learn More
  • Use different passwords for each account.

    • By using different usernames and passwords for your various accounts, you reduce the risk that a malicious actor could reuse credentials compromised from one account to access another of your accounts.
    • Learn More
  • Create strong passwords.

    • When creating a password, use a mix of numbers, letters (both uppercase and lowercase), and symbols – embracing long, non-dictionary based words or phrases.
    • Learn More
  • Regularly update your passwords.

    • It’s good practice to update your passwords every 3-6 months. If it has been more than 6 months since you last updated, we recommend updating it now.
    • Learn More

As a neighbor of Ring, your safety is our highest priority. We’re committed to helping you keep your home safe and protected – and that means keeping you informed with best practices for your online security, too.

If you have questions or need assistance with Two-Step Verification or changing your password, please contact our Support Team here.

Wishing you a safe and happy holiday,

The Ring Team

8 Likes

When will you support token 2FA (Google Authenticator, LastPass Authenticator, etc)

8 Likes

What do you think of the stance of EFF. I have been a supporter of their digital movement for some time and the integrity of their team to investigate and fight for digital security and rights. https://www.eff.org/deeplinks/2019/12/ring-throws-customers-under-bus-after-data-breach?fbclid=IwAR0MvAGsX–XxEdpn0iXMGuA737W6ERVx0U0PSW-QF1fZXi4s3XAzgofYBw

They feel you are not offering us good options to protect ourselves, not using password checking security tools that would elminate people using previously breached passwords and not making 2 factor authentication easily available and advertised. If some customers use poor or preiously breached passwords this leaves all your customers at risk as you share videos with other ring users and through one persons account they can access many through the community.

3 Likes

Hi @Parkersspace,

We understand that the safety of our customers and their loved ones is paramount, and Ring is one of the tools our customers use to feel secure and protected in their own homes and neighborhoods. Our mission is to make neighborhoods safer and to give users peace of mind by putting their trust in our products.

We have taken extra steps to analyze and identify Ring customers who may have had their credentials compromised through other companies’ breaches and to proactively let them know that their information was exposed – even if their Ring accounts were not impacted. Out of an abundance of caution, we also encourage our customers to follow security best practices like changing passwords and enabling two-factor authentication to keep their accounts secure. Additionally, we are continuing to monitor for and block potentially unauthorized login attempts into Ring accounts.

We are also excited to announce our release of a new security focused dashboard in the Ring mobile app called the Control Center! As part of this feature, you will be able to see and manage all mobile devices associated with the account and remove any potentially unauthorized devices. Learn more about it in this Ring Help Center article. Be on the lookout for it later this month!

Glad to see you guys are prioritizing security features like this.

Also noticed you are now sending emails when there are logins from new devices.

1 Like

Not too long ago I was researching options for HomeKit compatibility and stubmbled upon opensource versions that can integrate for example with Ring.

But stopped short when I realized that they required downloaded APIs that would read your Ring credentials stored on a local config file. Unless you compile these APIs yourself, you are at the mercy of someone out there publishing precompile packages.

Could it be possible these credentials were harvested from these or similar integrations?

Would it be best for Ring to finally do something about these and properly introduce your own integration with others or supply our own API?

1 Like

What is the current password attempt policy set to? If you don’t have 2FA turned on you can keep guessing a users password without getting a recaptcha window. Someone could use a brute force program to gain access to a users account.

If ring is really concerned about security, they need to use real security, not easily stolen telephone 2FA. For example Auth apps, security keys like yubikey, etc.

2 Likes

Verfication codes via unencrypted email and SMS, both easily hacked, do not constitute true two-factor security. You need to do one or more of the following:

  1. Enable use of TOTP by authentication apps;
  2. Enable verification of login from a new device via notification on a trusted device already logged in (e.g. phone app).
  3. Use Amazon login front-end, which already supports solid two-factor authentication.
1 Like

Is Ring looking into adding additional options for 2FA such as Google Authenticator? It would be great as an option over SMS. TIA!

2 Likes

Thank you for this feedback, neighbor! We’re always working on improving our devices and security, and I’ve passed this feedback on to the team. :slight_smile:

Thank you Ring Teams! The modified Two-Step Verification process makes me feel sufficiently safe using my Ring App and for logging into my Ring account. The initial version of this was way too excessive, having to do the Two-Step Verification so frequently, but now it has been ‘dialed back’ just about right.

Thank you for being responsive to our requests and comments on this.

:slight_smile: :slight_smile: :slight_smile:

1 Like