Over the past fortnight, and in a massive invasion of data and personal privacy, hackers have published thousands of valid Ring camera account credentials on the dark web and through hacking forums.
Ring cameras are used as a security feature on people’s front doors, to bring a sense of safety to their homes, but a software flaw left their network’s security wide open.
Hackers published these credentials to earn a reputation within the hacking community, but also “for the giggles,” in the hopes that others would follow in hacking Ring users; hijacking their accounts, recording users in their homes, and causing general mischief.
Compiled using a technique called credentials stuffing, hackers used special tools and apps that took usernames and passwords and leaked them via data breaches at other sites while testing their validity against Ring’s account system.
The username-password combos that coordinated were published online. In some cases, hackers released the tools they used to enable other hackers to get involved in the fun.
Following the breach came an onslaught of hacker ‘peacocking’, with many seeking praise and admiration for their exploits, and further reputation within the hacking community. Others were purely in it for the trouble-making and entertainment purposes.
A Ring spokesperson publicly stated that there was no breach of its internal servers. They said that from their side the accounts were compromised due to credential stuffing attacks and because of users recycling passwords over various online services.
The company recently published a blog post with essential advice on how Ring camera owners could prevent hackers from easily hijacking accounts and secure their accounts.
However, in a counterattack, Vice announced Ring could do better by adding extra security and safety features to its Ring user accounts system. These may include support for a CAPTCHA to block automated attacks, or an indicator to alert when more than one person is logged into an account and promptly detect intrusions.
Another company having a similar issue is Disney+, however their problem is more severe as unlike Ring they do not offer two-factor authentication. It seems Ring is not the only company with inadequate protection against credential stuffing attacks. Having upset one too many customers; Ring is currently dealing with a major PR crisis.
If you have any questions or concerns about your cybersecurity, get in touch with our team on 01522 883636 and we’ll do all we can to assist you.