Imagine entering your bedroom, hearing the creepy Tiny Tim song “Tiptoe Through the Tulips,” and then meeting a strange, disembodied voice that tells you to call your mother racial slurs or mess up your room. Oh yeah, and the voice says that you’re best friends. And it’s actually Santa Claus who’s talking to you. All of this, by the way, happens through a Ring home security system.
This sounds bonkers, but it’s actually only a fraction of what happened to eight-year-old Alyssa LeMay when she noticed the blue light blinking on the Ring security camera installed in her room–meaning someone was watching her.
“I was down the street when my husband messaged me, asking if I had been messing with the girls with the Ring,” Alyssa’s mother, Ashley LeMay, told BuzzFeed News. “I started watching the video on my phone and when I heard his voice and realized it was not my husband’s voice my heart just dropped and I ran back to the house.”
The December 4 incident is disturbing in its own right, but it’s also terrifying for two other reasons: This isn’t an isolated occurrence, as there have been other instances of Ring hackers gaining access to feeds of peoples’ homes, and Ring seems to have no idea what’s going on—or is playing dumb.
Ashley LeMay immediately called Amazon-owned Ring after she watched the full 10-minute recording of the hacker’s interaction with her daughter. Then, the next day, the family left for a cruise they had already planned. On December 6, two days after the initial interaction, Ring sent Ashley an email that said the company had detected “unusual activity” on their account. On December 9, she spoke to a Ring employee who told her that the family account had not been hacked, and that it was a data breach from a third party that was at fault.
Ring told BuzzFeed News its security team investigated this incident and found “no evidence of an unauthorized intrusion or compromise of Ring’s systems or network.”
According to the company’s statement, some users’ credentials, including their usernames and passwords, had been acquired through a separate non-Ring service. As a result, non-secure passwords, reused across websites, left some Ring accounts vulnerable.
“Unfortunately, when the same username and password is reused on multiple services, it’s possible for bad actors to gain access to many accounts,” a company spokesperson said.