Dark Web passwords- A security researcher has found on the dark web 1,562 unique email addresses and passwords associated with Ring doorbell passwords.
The list of passwords was uploaded on Tuesday to an anonymous dark web text-sharing site, commonly used to share stolen passwords and illicit materials. A security researcher found the cache of email addresses and passwords, which can be used to log in to and access the cameras, as well as their time zone and the doorbell’s location, such as “driveway” or “front door.”
The researcher reported the findings to Amazon — which owns the Ring brand — but Amazon asked that the researcher not discuss their findings publicly.
At the time of writing, the dark web listing is still accessible.
It’s the second reported leak of Ring credentials today. Earlier on Thursday, BuzzFeed News reported that a similar cache of data on more than 3,600 Ring doorbells was posted online. The data appears to be a similar-looking data set to that which BuzzFeed obtained. Anyone with a working email address and password can log into a Ring account and obtain the Ring customer’s address, phone number and some payment information. The credentials also give the user access to the Ring devices in that home, including access to historical video data if the setting is enabled.
It’s not known how the data was exposed.
TechCrunch contacted a dozen individuals whose information was found on the dark web listing. We provided each person with their password. Of those who responded, all confirmed that it was their password.
On our advice, all changed their passwords, and some enabled two-factor authentication on their accounts.
Nearly all of the passwords we reviewed were relatively simple and potentially easy to guess. It’s possible that the passwords were obtained by password spraying, a technique hackers use to guess passwords, or credential stuffing, where hackers take existing sets of exposed or breached usernames and passwords matched against different websites to access accounts.