Over the past two weeks, hackers have published thousands of valid Ring camera account credentials on hacking forums and the dark web.
In most cases, they did it to gain a reputation in the hacking community, but also “for the giggles,” in the hopes that someone else would hack Ring users, hijack their accounts, play pranks, or record users in their homes.
These lists of credentials were compiled using a technique called credentials stuffing. Hackers used special tools and apps that took usernames and passwords leaked via data breaches at other sites and tested their validity against Ring’s account system.
The username-password combos that matched, they published online. In some cases, hackers also published the tools they used, to let other hackers have a go themselves.
BuzzFeed reported yesterday about a list of 3,600+ Ring accounts. TechCrunch reported on another list of 1,500 Ring accounts. ZDNet also received the list that TechCrunch received.
The person who tipped ZDNet said he notified Ring of the issue earlier this week, and the company began resetting passwords and notifying customers.
ZDNet also received links to three other instances where hackers had compiled lists of credentials for Ring accounts, which they dumped online to boost their reputation among their peers.
Two of those lists were taken down by the service provider where they were uploaded. The last was a list claiming to hold credentials for 100,000 Ring accounts.
ZDNet shared the list with Ring’s security team. The company said that of the 100,000 credentials only 4,000 entries were for valid Ring accounts. The company wasn’t aware of this particular list but said they’ve already reset passwords and notified account owners in the past, suggesting that other hackers had identified these same accounts in the past.
The origin of this data was also without a doubt from credential stuffing. All the emails ZDNet tested had been included in breaches at other services.
We tested many against the Have I Been Pwned service, and they were all listed in various breaches were combinations of emails and passwords had been leaked in the past.
Some of the Ring users from the list who we contacted confirmed they reused passwords. Some said they changed passwords on their own after reading about hacks of Ring security cameras online, on various sites. Some were still using the passwords and proceeded to change them after we reached out.
Furthermore, the hacker who published the list f 100k accounts also previously published a “Ring config” for OpenBullet, a tool that is used for automating credential stuffing attacks.
The list of 100k Ring accounts was published online on December 11, the same day that Vice published an article about the appearance of tools for hacking Ring accounts on underground hacking communities.
The next day, Vice published a report on how hackers were using these tools to break into accounts, and then scare, prank, and record Ring camera users in their homes, recordings which they were later sharing in a Discord chatroom, part of a podcast named Nulledcast.
These two articles, and the others that followed detailing Ring camera hacks, spurred interest on hacking forums in Ring-related hacks.
Messages posted on various underground forums showed that users began soliciting and sharing lists of valid Ring user credentials, and the tools to test and hijack accounts.
Hackers shared these lists encouraging others to record Ring owners through their Ring camera, and share the recording “for the giggles.”
Others simply shared lists for no reason than to sustain or boost their reputation, justifying it saying they always “deliver” what the community wants or asks.
Cracked and Nulled, the two forums at the heart of the two Vice articles, banned any Ring-related topic last week, in an effort to prevent drawing law enforcement inquiries, although the two forums host other illegal or hacked content.
However, there are currently other online forums that have no problem in harboring hackers who continue to trade in Ring-related hacking tools and compromised accounts.
A Ring spokesperson told ZDNet yesterday that there was no breach of its internal servers, and from its side, the accounts are compromised due to credential stuffing attacks and because of users reusing passwords across online services.
The company published last week a blog post with basic advice on how Ring camera owners could secure their accounts and prevent hackers from easily hijacking accounts.
In a follow-up report this week, Vice said Ring could do better by adding additional security and safety features to its Ring user accounts system, such as support for a CAPTCHA to prevent automated attacks, or an indicator when more than one person is logged into an account, to help users detect intrusions.
Ring is not the only company that has poor protection against credential stuffing attacks. Disney+ has a similar problem, and probably worse — since it doesn’t offer two-factor authentication, as opposed to Ring.
Ring is also dealing with a PR crisis right now due to a tad bit too close collaboration with US law enforcement that has rubbed many of its customers the wrong way.