The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

Using the log-in email and password, an intruder could access a Ring customer’s home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.

We don’t know how this tranche of customer information was leaked. Ring denies any claims that the data was compromised as a part of a breach of Ring’s systems. A Ring spokesperson declined to tell BuzzFeed News when it became aware of the leak or whether it affected a third party that Ring uses to provide its services.

“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

It is not clear what “other company's data breaches” the spokesperson was referring to.

The Ring spokesperson added that the company will notify customers who were affected and require them to reset their passwords. An affected customer told BuzzFeed News that they received a notice on Dec. 18.

Security experts told BuzzFeed News that the format of the leaked data — which includes username, password, camera name, and time zone in a standardized format — suggests it was taken from a company database. They said data obtained via credential stuffing —when previously-compromised emails and passwords are used to get access to other accounts — would likely not display RIng-specific data like camera names or time zone.

“One could argue that the person maybe got these through credential stuffing,” Cooper Quintin, a security researcher and senior staff technologist at the Electronic Frontier Foundation, told BuzzFeed News. “But if that was the case, why did that person go through and add the information about names of camera and time zones?”

Quintin described the leak as “stunning.”

“This gives a potential attacker access to view cameras in somebody’s home in some of these cases — that’s a real serious potential invasion of privacy right there,” he said.