You may have seen reports recently about our customers’ Ring accounts. Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorized intrusion or compromise of Ring’s systems or network. However, even though Ring’s systems were not compromised, we do want to share how these issues occurred, and some easy steps you can take to further protect your Ring account and other online accounts.
Here’s what happened.
Malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts.
When people reuse the same username and password on multiple services, it’s possible for malicious actors to gain access to many accounts.
We’ve taken appropriate action to block these malicious actors and contacted all affected users directly.
Here’s what you can do now.
Even if your credentials were not obtained by malicious actors, we strongly encourage everyone follow these password best practices.
Two-Step Verification.
We’ve made a second layer of verification mandatory for all users when they log into their Ring accounts. This added authentication helps prevent unauthorized users from gaining access to the Ring account.
Don’t provide your login information to others. If you want to share access to your Ring devices with other people, simply add them as a Shared User. This allows you to maintain control of your account. And if you currently have Shared Users, please ask them to follow the password best practices below.
By using different usernames and passwords for your various accounts, you reduce the risk that a malicious actor could reuse credentials compromised from one account to access another of your accounts.
When creating a password, use a mix of numbers, letters (both uppercase and lowercase), and symbols – embracing long, non-dictionary based words or phrases.
As a neighbor of Ring, your safety is our highest priority. We’re committed to helping you keep your home safe and protected – and that means keeping you informed with best practices for your online security, too.
If you have questions or need assistance with Two-Step Verification or changing your password, please contact our Support Team here.
They feel you are not offering us good options to protect ourselves, not using password checking security tools that would elminate people using previously breached passwords and not making 2 factor authentication easily available and advertised. If some customers use poor or preiously breached passwords this leaves all your customers at risk as you share videos with other ring users and through one persons account they can access many through the community.
We understand that the safety of our customers and their loved ones is paramount, and Ring is one of the tools our customers use to feel secure and protected in their own homes and neighborhoods. Our mission is to make neighborhoods safer and to give users peace of mind by putting their trust in our products.
We have taken extra steps to analyze and identify Ring customers who may have had their credentials compromised through other companies’ breaches and to proactively let them know that their information was exposed – even if their Ring accounts were not impacted. Out of an abundance of caution, we also encourage our customers to follow security best practices like changing passwords and enabling two-factor authentication to keep their accounts secure. Additionally, we are continuing to monitor for and block potentially unauthorized login attempts into Ring accounts.
We are also excited to announce our release of a new security focused dashboard in the Ring mobile app called the Control Center! As part of this feature, you will be able to see and manage all mobile devices associated with the account and remove any potentially unauthorized devices. Learn more about it in this Ring Help Center article. Be on the lookout for it later this month!
Not too long ago I was researching options for HomeKit compatibility and stubmbled upon opensource versions that can integrate for example with Ring.
But stopped short when I realized that they required downloaded APIs that would read your Ring credentials stored on a local config file. Unless you compile these APIs yourself, you are at the mercy of someone out there publishing precompile packages.
Could it be possible these credentials were harvested from these or similar integrations?
Would it be best for Ring to finally do something about these and properly introduce your own integration with others or supply our own API?
What is the current password attempt policy set to? If you don’t have 2FA turned on you can keep guessing a users password without getting a recaptcha window. Someone could use a brute force program to gain access to a users account.
If ring is really concerned about security, they need to use real security, not easily stolen telephone 2FA. For example Auth apps, security keys like yubikey, etc.
Verfication codes via unencrypted email and SMS, both easily hacked, do not constitute true two-factor security. You need to do one or more of the following:
Enable use of TOTP by authentication apps;
Enable verification of login from a new device via notification on a trusted device already logged in (e.g. phone app).
Use Amazon login front-end, which already supports solid two-factor authentication.
Thank you Ring Teams! The modified Two-Step Verification process makes me feel sufficiently safe using my Ring App and for logging into my Ring account. The initial version of this was way too excessive, having to do the Two-Step Verification so frequently, but now it has been ‘dialed back’ just about right.
Thank you for being responsive to our requests and comments on this.