Wyze says camera breach let 13,000 customers briefly see into other people’s homes
Image: WyzeWyze’s problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought. Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were...
Wyze’s problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought.
Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were able to briefly see into a stranger’s property because they were shown an image from someone else’s Wyze camera. Now we’re being told that number of affected customers has ballooned to 13,000.
The revelation came from an email sent to customers entitled “An Important Security Message from Wyze,” in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS.
“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.
The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.
As it did before, Wyze is chalking up the incident to “a third-party caching client library” that was recently integrated into its system.
This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.
But it was too late to prevent an estimated 13,000 people from getting an unauthorized peek at thumbnails from a stranger’s homes. Wyze says that 1,504 people tapped to enlarge the thumbnail, and that a few of them caught a video that they were able to view. It also claims that all impacted users have been notified of the security breach, and that over 99 percent of all of its customers weren’t affected.
Wyze customers are already airing their outrage on Reddit and elsewhere. One Reddit user, who described herself as a “23 year old girl” was getting ready for work during the breach, described herself as “disgusted and upset” and said she would be deleting her account. “I’m feeling so violated,” she said.
Wyze is scrambling to fix things by adding an additional layer of verification before users can view images or footage from the Events tab. “We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday,” the company’s email reads.
The email concludes with more apologies, including an acknowledgement that all of this will come as “disappointing news” to most of its users, whether they were affected by the breach or not. But that may not be enough to forestall any class action lawsuits that could stem from this.
Here’s the full email from Wyze:
Wyze Friends,
On Friday morning, we had a service outage that led to a security incident. Your account and over 99.75% of all Wyze accounts were not affected by the security event, but we wanted to make you aware of the incident and let you know what we are doing to make sure it doesn’t happen again.
The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.
As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. We immediately removed access to the Events tab and started an investigation.
We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. All affected users have been notified. Your account was not one of the accounts affected.
The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.
To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.
We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred.
We must do more and be better, and we will. We are so sorry for this incident and are dedicated to rebuilding your trust.
If you have questions about your account, please visit support.wyze.com.
Wyze Team