FTC Orders Ring to Pay $5.8 Million in Refunds For Surveilling Customers, Failing to Stop Hackers

The Federal Trade Commission (FTC) has published a proposed order against Ring that would see the surveillance camera maker pay $5.8 million in consumer refunds, as well as prohibit the company from profiting from unlawfully accessed consumer videos, according to an announcement from the FTC published Wednesday. The FTC’s complaint says hackers broke into a massive 55,000 Ring accounts belonging to U.S. customers, in some cases maintaining access to linked devices for more than a month.

The FTC’s move comes after Motherboard published several investigations into a wave of hacks that targeted Ring accounts and their respective cameras across the country in December 2019. Motherboard found hackers discussing creating tools to break into Ring accounts on crime forums; uncovered a podcast where hackers live streamed the harassment of unsuspecting victims; and finally documented in detail the myriad security issues with Ring accounts by purchasing and testing a Ring camera ourselves.

“Because Ring did not take these measures, the attacks continued to succeed,” the FTC’s complaint against Ring reads. “For example, on December 12, 2019, prominent media outlets began publishing reports about hacked Ring devices, where hackers used access to cameras to harass and threaten children and families.”

During the 55,000 account compromises, hackers went further in many cases. For at least 910 U.S. accounts related to around 1,250 Ring devices, hackers also accessed a stored video, live stream, or viewed the customer’s profile, according to the complaint.

In Motherboard’s December 2019 investigation laying out the security issues with Ring, we pointed to Ring allowing people to login from unknown IP addresses even when connecting from multiple countries around the world simultaneously; the company not giving users a way to see how many users are currently logged into their account; Ring not checking user’s password hashes against already known compromised credentials; a lack of SMS verification in response to an unknown login; allowing unfettered access over the Tor anonymity network; and Ring seemingly not deploying any form of rate limiting, which stops hackers from entering possible passwords again and again in quick succession. Specifically, all of these make “credential stuffing” and “brute force” attacks easier for a hacker.

In its own complaint the FTC pointed to much the same issues Motherboard found at the time.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in the announcement. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

Separate from the account security issue, Ring employees also accessed consumer content without consent. Under the proposed order, Ring will be required to delete data products derived from those unlawfully reviewed videos, and implement a privacy and security program as well as “other stringent security controls, such as multi-factor authentication for both employee and customer accounts,” the announcement adds.

A federal court needs to approve the order before it can go into effect. Ring did not immediately respond to a request for comment.