The Federal Trade Commission is sending $5.6 million in refunds to Ring users whose private video feeds were accessed without consent by Amazon employees and contractors, or had their accounts and devices hacked because of insufficient security protections.
The action is part of a settlement following a complaint from May 2023 alleging that Ring failed to implement adequate security measures to protect the devices from unauthorized access.
Ring is an Amazon subsidiary known its smart home security products, including video doorbells, indoor and outdoor security cameras, central alarm hubs, smart sensors, motion-activated lights, and more.
The devices are connected to the internet and provide users remote access and control through a mobile application.
In the original complaint, FTC alleged that Ring allowed its employees unlimited access to people’s Ring devices to help them increase productivity and development pace.
Additionally, Ring also gave high-level access to customer support agents, including hundreds of third-party contractors located in Ukraine and elsewhere, who operated without restrictions to protect customers against abusive access.
Apart from lax policies for internal access, FTC also alleged that Ring failed to implement basic security measures such as multi-factor authentication (MFA) until 2019, which led to easier user account hijacking and access to private video feeds through credential stuffing and brute-forcing attacks.
For the damage done, FTC is now sending payments through PayPal to a little over 117,000 Ring consumers as part of the settlement. Customers need to redeem the funds in the next 30 days.
“The FTC identified eligible Ring customers based on data provided by the company,” the agency told BleepingComputer, clarifying that Ring users “were eligible for a payment if their account was vulnerable because of privacy and security problems alleged in the complaint.”
For more information on how FTC sends payments, consumers are advised to consult the agency’s FAQ page.