The Ring Doorbell 2 can be hacked – but almost certainly not the way you’re imagining. Nobody is exploiting a firmware vulnerability to remotely seize your doorbell. What happened in the real-world cases was simpler and more embarrassing: people reused passwords, and credential stuffers walked right in.
The short answer is: yes, accounts can be compromised. The device itself is harder to attack than the account protecting it. Here’s what actually went wrong, what Ring fixed, and what you should do about it.
Quick rundown
- The Ring Doorbell 2 was discontinued in April 2020. Ring still supports it with app and firmware updates, but the current equivalent is the Ring Battery Doorbell Plus.
- The 2019-2020 hacking wave was credential stuffing – attackers used leaked username/password combos from other sites, not Ring exploits.
- Ring made 2FA mandatory for all accounts in February 2020. If you have a Ring account, you already have it.
- End-to-end encryption (E2EE) is available for the Ring Doorbell 2 as an opt-in feature. It means Ring itself cannot access your footage.
What actually happened in 2019-2020
In late 2019, a dataset of 3,672 Ring account credentials showed up on a dark web forum. Email addresses, passwords, camera names, time zones – the works. The FTC later confirmed that over 55,000 U.S. Ring accounts were compromised between January 2019 and March 2020.
This was not Ring getting breached. This was credential stuffing – attackers taking username/password pairs leaked from unrelated sites (there are billions of these floating around) and trying them against Ring accounts. If you used the same password for Ring that you used somewhere else that got hacked, they were in. That’s it. No clever exploit, no zero-day.
There were also internal problems. The FTC’s 2023 complaint against Amazon noted that Ring employees and contractors had inappropriately accessed customer video. Ring settled for $5.6 million. That’s a separate (and frankly worse) issue from the credential stuffing story, but worth knowing.
What Ring changed after 2020
Ring responded to the backlash with a few meaningful changes:
- Two-factor authentication became mandatory for all Ring accounts in February 2020. Every login now requires a one-time code sent to your phone or email, so a stolen password alone is not enough.
- Ring introduced login notifications – you get alerted when a new device signs in to your account.
- In January 2021, Ring launched end-to-end encryption (E2EE) as an opt-in feature. The Ring Doorbell 2 supports it. When enabled, video is encrypted such that only your enrolled device can decrypt it – Ring’s own servers cannot read the footage.
Ring also uses TLS encryption for video data in transit between the device and Ring’s servers. That baseline has been in place for years – the 2019 incidents were account-level, not interception of video streams.
The real attack vectors (and how rare they actually are)
Credential stuffing: Still the most likely threat. Someone gets your email and password from a different breach and tries it on Ring. Fixed by: unique password + 2FA.
Shared login credentials: Giving your Ring login details to a houseguest, contractor, or family member who no longer needs access. Fixed by: use Ring’s Shared User feature instead of sharing your actual credentials, and remove users when they no longer need access.
Wi-Fi network attacks: Theoretically, someone could set up a rogue hotspot or intercept traffic on a poorly secured home network. In practice, Ring’s TLS encryption means intercepted packets are not useful. The more realistic risk is someone gaining access to your home network and then having lateral access to other connected devices.
“Wardriving” for smart home devices: Technically possible, practically rare. Driving around scanning for Ring devices to exploit is not a common attack pattern because the payoff is low and the effort is high.
How to lock down your Ring Doorbell 2
You don’t need to do much. The biggest gains come from the basics – the same basics that protect every online account you own.
Use a unique password for your Ring account
Don’t reuse a password from any other site. Use a password manager (1Password, Bitwarden, etc.) to generate and store a strong unique password. This alone would have prevented the vast majority of 2019-2020 incidents.
Confirm 2FA is active on your account
Go to the Ring app, tap the menu icon, then Account > Two-Step Verification. Ring made this mandatory in 2020, so it should already be on. Verify it anyway.
Enable end-to-end encryption (optional but recommended)
In the Ring app: tap the menu icon, then Control Center > Video Encryption > End-to-End Encryption > Enable. You’ll create a passphrase – save it somewhere safe, because losing it means losing access to encrypted footage. Note: E2EE disables some features including Amazon Echo Show playback, shared user video access, and Ring.com viewing.
Audit your shared users
Ring app > Account > Shared Users. Remove anyone who no longer needs access. Never share your actual Ring login – add people as shared users instead.
Keep your Ring app and firmware updated
Ring pushes firmware updates automatically. For the app, enable auto-updates in the App Store or Google Play. If you want to manually check firmware: Ring app > Device Settings > Device Health > Firmware.
Should you still use a Ring Doorbell 2?
The Ring Doorbell 2 has been discontinued since April 2020 – Ring pulled it from their own store when the Ring 3 launched. If yours is already installed and working, there’s no security reason to replace it (Ring still pushes firmware updates). The security concerns were account-level, not hardware-level.
If you’re replacing a dead unit or buying new, the Ring Battery Doorbell Plus is the current equivalent – head-to-toe HD+ video, the same removable quick-release battery, and compatible with all the same Ring app features. It also supports E2EE.
For related reading: Ring Doorbell 2 troubleshooting guide, how to reset your Ring Doorbell 2, and what to do if your Ring Doorbell 2 gets stolen.