In most cases, hackers used "dictionary" or "credential stuffing" attacks to gain access to Ring accounts that used easy-to-guess passwords, or passwords that have been leaked online during breaches at other services.
Some hackers even recorded themselves scaring Ring account owners in their homes, making threats, or lewd comments and then publishing the recordings part of "podcasts" in a Discord channel.
These hacks have become common since December last year. Ever since they became mainstream, Ring's management has been criticized for not doing enough to secure user accounts.
In December last year, Ring tried to help users by adding "login notifications" for every time someone logged into a Ring account in the hopes that users would spot unauthorized logins. A month later, in January, Ring also added a new control center section where users could see other devices connected to their Ring accounts, and forcibly disconnect devices they believed were operated by hackers. However, both features were dismissed as being insufficient.
Today's move to make 2FA a mandatory feature is a first step in the right direction. The reason is that the first two features were passive protections, allowing users to react following a hack. Today's move is an active protection because 2FA will prevent hackers from accessing Ring accounts in the first place.
"With every login on your Ring account, you'll receive a one-time, six-digit code to verify your login attempt," Ring President Leila Rouhi said today in a blog post announcing the move. "You'll need to enter that code before we will allow access to your Ring account."
Ring's new 2FA rule will start being enforced today, and users will be asked to choose between an email or SMS-based 2FA method the next time they log in.
In addition, the Amazon-owned company also announced that beginning immediately, they are " temporarily pausing the use of most third-party analytics services in the Ring apps" and adding controls to the Ring settings center to let users opt-out of sharing their data with third-party service providers for the purpose of receiving personalized ads.
The biggest Internet of Things, smart home hacks of 2019