Ring is everywhere nowadays. The Amazon-owned company’s doorbell-slash-security-camera products are so ubiquitous that it would be a real problem if bad actors got a hold of the data of its tens of millions of users.
Enter that potential problem: the ALPHV ransomware group.
As first reported by Vice, this hacker collective is claiming to have breached Amazon Ring and is threatening to leak the data it has stolen.
“Ring: Security Systems,” reads a message posted on ALPHV’s website. “There’s always the option to let us leak your data.”
Despite the claims by the ransomware group, Amazon Ring has denied any breach of its systems.
“We currently have no indications that Ring experienced a ransomware event,” an Amazon Ring spokesperson told Mashable in an email.
According to an additional statement from the company, Amazon Ring says it is aware of a third-party vendor that has been targeted in a ransomware attack. Furthermore, Vice reports that the link to its report was shared in one of Amazon’s internal Slack channels along with a warning: “Do not discuss anything about this. The right security teams are engaged.”
ALPHV is a known ransomware-as-a-service hacker group. This basically means that instead of a malicious code going through what its programmed to do in an attack on a user, everything that ALPHV is human-driven with each step changing based on what the group finds in its ransomware campaign on a target. ALPHV typically uses a ransomware malware called Blackcat.
It’s unclear exactly what data ALPHV claims to have. Amazon has said that the third-party vendor does not have access to any customer information. Last September, Amazon Ring officially enabled end-to-end encryption of the audio and video data it uploads to the company’s cloud services. Such security measures make it much more difficult for an unauthorized party to access users’ media files.
However, Ring has had its fair share of privacy and security issues recently. In response to an inquiry from Sen. Ed Markey (D-MA), Amazon has admitted to providing private recordings from Ring devices to law enforcement without the knowledge or consent of its users. The company did this 11 times in 2022.
Ring also quietly rolled out a major security update for its Android app in May of last year without informing its users of the issue. According to security researchers at Checkmarx, Amazon patched up a major vulnerability affecting its Android app which had the potential to expose users’ name, email, phone number, address, and recordings.