You may have seen reports recently about our customers’ Ring accounts. Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorized intrusion or compromise of Ring’s systems or network. However, even though Ring’s systems were not compromised, we do want to share how these issues occurred, and some easy steps you can take to further protect your Ring account and other online accounts.
Here’s what happened.
Malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts.
When people reuse the same username and password on multiple services, it’s possible for malicious actors to gain access to many accounts.
We’ve taken appropriate action to block these malicious actors and contacted all affected users directly.
Here’s what you can do now.
Even if your credentials were not obtained by malicious actors, we strongly encourage everyone follow these password best practices.
As a neighbor of Ring, your safety is our highest priority. We’re committed to helping you keep your home safe and protected – and that means keeping you informed with best practices for your online security, too.
If you have questions or need assistance turning on Two-Factor Authentication or changing your password, please contact email@example.com.
Wishing you a safe and happy holiday,
The Ring Team
What do you think of the stance of EFF. I have been a supporter of their digital movement for some time and the integrity of their team to investigate and fight for digital security and rights. https://www.eff.org/deeplinks/2019/12/ring-throws-customers-under-bus-after-data-breach?fbclid=IwAR0...
They feel you are not offering us good options to protect ourselves, not using password checking security tools that would elminate people using previously breached passwords and not making 2 factor authentication easily available and advertised. If some customers use poor or preiously breached passwords this leaves all your customers at risk as you share videos with other ring users and through one persons account they can access many through the community.
We understand that the safety of our customers and their loved ones is paramount, and Ring is one of the tools our customers use to feel secure and protected in their own homes and neighborhoods. Our mission is to make neighborhoods safer and to give users peace of mind by putting their trust in our products.
We have taken extra steps to analyze and identify Ring customers who may have had their credentials compromised through other companies’ breaches and to proactively let them know that their information was exposed – even if their Ring accounts were not impacted. Out of an abundance of caution, we also encourage our customers to follow security best practices like changing passwords and enabling two-factor authentication to keep their accounts secure. Additionally, we are continuing to monitor for and block potentially unauthorized login attempts into Ring accounts.
We are also excited to announce our release of a new security focused dashboard in the Ring mobile app called the Control Center! As part of this feature, you will be able to see and manage all mobile devices associated with the account and remove any potentially unauthorized devices. Learn more about it in this Ring Help Center article. Be on the lookout for it later this month!
Glad to see you guys are prioritizing security features like this.
Also noticed you are now sending emails when there are logins from new devices.
Not too long ago I was researching options for HomeKit compatibility and stubmbled upon opensource versions that can integrate for example with Ring.
But stopped short when I realized that they required downloaded APIs that would read your Ring credentials stored on a local config file. Unless you compile these APIs yourself, you are at the mercy of someone out there publishing precompile packages.
Could it be possible these credentials were harvested from these or similar integrations?
Would it be best for Ring to finally do something about these and properly introduce your own integration with others or supply our own API?
Verfication codes via unencrypted email and SMS, both easily hacked, do not constitute true two-factor security. You need to do one or more of the following:
Is Ring looking into adding additional options for 2FA such as Google Authenticator? It would be great as an option over SMS. TIA!