Ashley LeMay and Dylan Blakeley recently installed a Ring security camera in the bedroom of their three daughters, giving the Mississippi parents an extra set of eyes - but not the ones that they had bargained for.
Four days after mounting the camera to the wall, a built-in speaker started piping the song "Tiptoe Through the Tulips" into the empty bedroom, footage from the device showed.
When the couple's 8-year-old daughter, Alyssa, checked on the music and turned on the lights, a man started speaking to her, repeatedly calling her a racial slur and saying he was Santa Claus. She screamed for her mother.
The family's Ring security system had been hacked, the family said. The intrusion was part of a recent spate of breaches involving Ring, which is owned by Amazon.
There have been at least three similar cases reported this month - the others were in Connecticut, Florida and Georgia. Other breaches, involving Google's Nest and Taococo, a baby monitor sold on Amazon, have also drawn scrutiny and prompted concerns about privacy.
LeMay said that she and her husband, who unplugged the camera, immediately reported the episode to Ring and later to the police in Southaven, Mississippi. Since the episode, she said, her family had been contacted by the FBI and by Ring's chief operating officer, Jon Irwin.
But she criticized the company's response, saying it had provided scant information and deflected responsibility for the breaches onto customers.
A Ring spokeswoman said in a statement Saturday that the company took the security of its devices seriously and attributed the recent episodes to hackers gaining users' login credentials.
"Our security team has investigated this incident and we have no evidence of an unauthorized intrusion or compromise of Ring's systems or network," the statement said. "Recently, we were made aware of an incident where malicious actors obtained some Ring users' account credentials (e.g., username and password) from a separate, external, non-Ring service and reused them to log in to some Ring accounts."
"Unfortunately, when the same username and password is reused on multiple services, it's possible for bad actors to gain access to many accounts," the statement said.