[In the player above, watch previous FOX 8 I-Team coverage showing how investigators used doorbell camera footage in a murder investigation.]

(WJW) — The maker of the popular Ring doorbell cameras allowed employees to access customers’ videos without their consent, according to a Federal Trade Commission complaint filed against the company Wednesday in federal court.

One such employee viewed thousands of recordings from cameras belonging to women, some of which came from “intimate spaces” like bathrooms and bedrooms, according to a Thursday news release from the commission. It’s unknown how many other employees inappropriately accessed such videos, the release states.

The company is also accused of violating owners’ privacy by using their videos in employee training materials as well as lacking safeguards to keep hackers from taking control of customers’ accounts and cameras and viewing their videos.

The commission alleges Ring didn’t seek customers’ consent to use the videos for training until January 2018, and that the consent language to use the videos for “product improvement and development” was “buried” in its terms of service agreement. The California-based company was purchased by Amazon the following February, according to the commission.

The commission is now asking a judge to order Ring to delete customer data from videos that were unlawfully reviewed, to add “stringent security controls” like multi-factor authentication and to refund $5.8 million to consumers.

The company has agreed to the refunds, the Associated Press reported.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, is quoted in the release. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

Ring camera security failures

The commission alleges Ring cameras were susceptible to hacking attempts and that the company failed to secure them “despite warnings from employees, outside security researchers and media reports,” according to the release.

The commission claims hackers were able to access the cameras by using usernames and passwords obtained in data breaches — a tactic known as “credential stuffing” — or use guess their passwords — called a “brute force” attack — to force entry into a customer’s account. Such credential-stuffing attacks previously affected Ring cameras in 2017 and 2018, according to the commission, but the company still failed to upgrade its security, according to the commission.

Hackers ultimately exploited vulnerabilities to get into the accounts of about 55,000 U.S. customers, according to the complaint.

“Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers — including elderly individuals and children — whose rooms were monitored by Ring cameras, and to change important device settings,” the release states. “For example, hackers taunted several children with racist slurs, sexually propositioned individuals and threatened a family with physical harm if they didn’t pay a ransom.”

Amazon settles child privacy complaint

Amazon agreed Wednesday to pay a $25 million civil penalty to settle commission allegations that it violated a child privacy law and deceived parents by keeping for years kids’ voice and location data recorded by its popular Alexa voice assistant.

The Alexa-related action orders Amazon to overhaul its data deletion practices and impose stricter, more transparent privacy measures. It also obliges the tech giant to delete certain data collected by its internet-connected digital assistant, which people use for everything from checking the weather to playing games and queueing up music.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA (the Child Online Privacy Protection Act) and sacrificed privacy for profits,” Levine said in a separate statement.

The 1998 law is designed to shield children from online harms.

FTC Commissioner Alvaro Bedoya said in a statement that “when parents asked Amazon to delete their kids’ Alexa voice data, the company did not delete all of it.”

The agency ordered the company to delete inactive child accounts as well as certain voice and geolocation data.

A company spokesperson issued a statement to FOX 8 News on Thursday:

At Amazon, we take our responsibilities to our customers and their families very seriously. Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience. While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.

We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.

Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.