After updating HASIO to HA 0.103.2 and HassOS 3.7
Ring doorbell - which has been working all year, now fails:
Error: 403 Client Error: Forbidden for url: https://api.ring.com/clients_api/session
The following components and platforms could not be set up:
had an email from ring:
The facts about
password security.
You may have seen reports recently about our customers’ Ring accounts. Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorised intrusion or compromise of Ring’s systems or network. However, even though Ring’s systems were not compromised, we do want to share how these issues occurred, and some easy steps you can take to further protect your Ring account and other online accounts.
Here’s what happened.
Malicious actors obtained some Ring users’ account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log into some Ring accounts.
When people reuse the same username and password on multiple services, it’s possible for malicious actors to gain access to many accounts.
We’ve taken appropriate action to block these malicious actors and contacted all affected users directly.
Here’s what you can do now.
Even if your credentials were not obtained by malicious actors, we strongly encourage everyone to enable Two-Factor Authentication and follow these password best practices.
Enable Two-Factor Authentication.
Turn on this enhanced security feature in the Ring app to receive a unique code via text message to your phone whenever you or someone else attempts to log into your Ring account and is asked for your Ring password. Many other online services offer Two-Factor Authentication as well, and we encourage you to turn this feature on wherever available in your other online accounts.
Turn On Now
Add Shared Users.
Don’t provide your login information to others. If you want to share access to your Ring devices with other people, simply add them as a Shared User. This allows you to maintain control of your account. And if you currently have Shared Users, please ask them to enable Two-Factor Authentication and follow the password best practices below.
Learn More
Use different passwords for each account.
By using different usernames and passwords for your various accounts, you reduce the risk that a malicious actor could reuse credentials compromised from one account to access another of your accounts.
Learn More
Create strong passwords.
When creating a password, use a mix of numbers, letters (both uppercase and lowercase), and symbols – embracing long, non-dictionary based words or phrases.
Learn More
Regularly update your passwords.
It’s good practice to update your passwords every 3-6 months. If it has been more than 6 months since you last updated, we recommend updating it now.
Learn More
As a neighbour of Ring, your safety is our highest priority. We’re committed to helping you keep your home safe and protected – and that means keeping you informed with best practices for your online security, too.
If you have questions or need assistance turning on Two-Factor Authentication or changing your password, please contact [email protected].
Wishing you a safe and happy holiday,
The Ring Team
This will help
I know this is possible, but we’ve heard this excuse from many different companies in the last couple of years when there there are widespread reports of security breaches. It stretches belief that this is common enough to produce all the reports that we’ve seen about these different companies. I’m, just sayin…
103.3 is out, it fixes the ring issues.
It’s called “credential stuffing” and it’s totally plausible that this is what happened.
People are, by and large, relatively lazy with account security and folks often re-use usernames and passwords on multiple sites.
Have I been pwned? has tracked over 400 site breaches (10 since October), the largest containing over 700M accounts (you should go over there and just see if your email has been pwned, or your “favorite” password, it probably has).
These lists are often made public on sites like pastebin.com, for anyone to download.
Once a bad actor has a username and password from Site A, he/she can then use it to “stuff” every popular website he/she can find to see if it will work there. If companies aren’t doing things like rate limiting and blocking (and often even if they are), he/she will eventually find accounts to gain access to. The site where accounts are then compromised through credential stuffing haven’t, technically, been breached. The user themselves are at some fault as well (using the same password in more than one place).
This is why Two-Factor Authentication (2FA or MFA) has become so popular recently, as it will completely defeat credential stuffing.
103.3 actually re-broke it for me… Sigh.
I had performed the manual upgrade of the Python library, then after upgrading to 103.3 it’s broken again.
Edit: Actually, I just checked, I’m on HA 0.103.4…
I’m running ring-doorbell 0.2.5, which pip says is the latest version.
Following a reboot I’m still getting the API errors.
HA 0.103.4 HassOS 3.7
Error: 401 Client Error: Unauthorized for url: https://api.ring.com/clients_api/session
The ring-doorbell library needs to be updated to use OAuth2 once that is done it’ll work properly again.
Sit tight.
Fix available over here: Ring integration setup fails
It’s not pretty, but it does restore operation.