The usernames, passwords, camera names, and time zone information of over 3000 Amazon Ring customers have been leaked, giving hackers the potential to scrape contact and payment details, as well as access the cameras of the smart doorbell devices.
An investigation by BuzzFeed News revealed that the data leak means that hackers could access not only live video feeds but, depending on each customer’s storage plan, clips from the last 30 to 60 days.
Worse still, BuzzFeed says it was alerted to the leak by a security researcher who found the details in plain, unencrypted text, by using a simple web scraping tool.
Related: Ring Video Doorbell Pro Review
BuzzFeed verified the leak with four individuals whose log-ins were compromised, all of whom said that Amazon had not notified them in advance. The company said all affected customers would be contacted, and are being urged to change their passwords.
A Ring spokesperson denied that the company itself has suffered a data breach, however: “Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network.”
“It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”
While this may be the case, Ring’s inability to notify customers of attempted log-ins from other IP addresses means users might not even aware their security has been compromised. Fortunately, there are steps you can take to help prevent this happening.
Related: Best VPN
Amazon Ring data leak – how to protect yourself
None of the four customers contacted by BuzzFeed had enabled 2FA, short for two-factor authentication, and also called two-step verification. 2FA is something that Ring doorbell cameras support, and you should use it.
2FA sees you using a second device, usually your phone, to verify log-ins – you’ll receive either a text message or an on-screen prompt on your second device any time you (or anyone) attempts to access your Ring cameras when you set 2FA up.
You should also change your router’s admin password (in case it’s been shipped with something basic and insecure like ‘admin’, or ‘password’), as well as the network password – a report from seurity software vendors Bitdefender earlier this year revealed how a Ring cameras were leaking Wi-Fi network passwords, courtesy of a now-patched vulnerability.
While you’re at it, you should make sure that you always have the latest security patches from Ring installed.
To be on the safe side, you should change your Ring passwords, too, even if you don’t think you’re one of the affected Ring punters.
Amazon has not commented on the nature of the leak in terms of where the affected customers are based. Trusted Reviews has contacted Ring users based in the UK, and so far, none of them have reported any suspicious activity.
Even if Amazon hasn’t been in touch, it’s good practice to regularly refresh your passwords, or make use of a password manager, if you wish.
Earlier this week, the experimental Neighbors app, which lets Ring users in a local area share footage, was criticised, after an investigation revealed that the app also collected latitudinal and longitudinal geotags.
Though it’s hard to imagine how a digital neighbourhood watch scheme would function without collecting some location data, the geotags collected are accurate enough to pinpoint a square inch of ground.