Thousands of Ring users exposed as company's PR nightmare continues

Ring Indoor Cam
(Image credit: Ring)

Ring has suffered a data leak that exposed the personal information of more than 3,600 users, according to BuzzFeed News -- or did it? The security-camera maker denies its systems were breached.

Despite the public-relations nightmare that a recent string of reported "hacks" has birthed, I believe the Amazon-owned company is telling the truth. Here's why.

When I heard a bad actor hacked an 8-year-old's indoor Ring cam and claimed to be Santa Claus, I dug into the coverage of similar cases nationwide. 

The common denominator among all the attacks was not that a malicious entity got into Ring's trove of personal data. It's that the "hackers" gained entry to Ring online accounts through the front door -- by using the legitimate users' previously compromised, reused passwords. 

The kind of data BuzzFeed News says was exposed in the data leak, such room names and payment information along with email address, passwords and time zones, could have come from a breach of Ring's systems. 

But it also could have been "scraped" from Ring accounts that had already been accessed through compromised credentials. 

The fact that the number of affected accounts is in the low thousands rather than in the hundreds of thousands indicates that Ring accounts were likely not breached en masse.

As for how Ring-cam assailants got into those accounts, there are a number of ways to carry out such an attack. Most are alarmingly simple. 

There's software circulating the internet, for example, that shuffles through username-and-password combinations compromised in previous data breaches until it finds a correct match.  

A lucky guess could do the trick, too. That's why it's imperative to create a password that's long, strong and unique. We also recommended enabling two-factor authentication (2FA) both on Ring cameras and  when any other company offers it.

But do I think Ring has taken enough steps to assure users their accounts are kept safe? Absolutely not. 

As The Verge pointed out, Ring hasn't taken the kind of measures Google has to notify users when an account has been logged into from an unknown device or IP address. And although Ring offers 2FA, it didn't start stressing the importance of this account-protecting feature to users until last week. 

Still, the Ring cameras involved in these incidents are internet-enabled devices some have decided to adopt in their most sacred spaces. While indoor security cameras certainly provide practical purpose, it'd be an error on the user's part to give it the same password they use for Facebook.

When it comes to our smart home security tips, none is more key than devising unique passwords for your accounts -- especially for ones linked to video and audio devices in your home.

Kate Kozuch

Kate Kozuch is the managing editor of social and video at Tom’s Guide. She covers smartwatches, TVs and audio devices, too. Kate appears on Fox News to talk tech trends and runs the Tom's Guide TikTok account, which you should be following. When she’s not filming tech videos, you can find her taking up a new sport, mastering the NYT Crossword or channeling her inner celebrity chef.