A Wyze camera breach allowed some 13,000 customers view footage from other people’s homes. The company had originally said that the serious privacy and security breach had only happened for 14 people.
Wyze says that most of these customers only saw a thumbnail, but that more than 1,500 users saw either a full-size still or a video recording of an event …
Wyze camera breach
Wyze said that an Amazon Web Services (AWS), whose servers the company uses for remote access to cameras, suffered an outage. That was annoying, with no remote camera access for several hours, but not a huge deal.
However, as The Verge reports, the problem came once the outage was over and cameras started coming back online.
Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.
As it did before, Wyze is chalking up the incident to “a third-party caching client library” that was recently integrated into its system.
“This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
But it was too late to prevent an estimated 13,000 people from getting an unauthorized peek at thumbnails from a stranger’s homes. Wyze says that 1,504 people tapped to enlarge the thumbnail, and that a few of them caught a video that they were able to view.
The company says that all affected users have been notified, and that it has now added “a new layer of verification” to ensure it can’t happen again.
Reddit users were not impressed by the company’s explanation.
“Increased demand doesn’t cause code or databases to randomly confuse one value for another. Increased demand slows request processing time, it doesn’t fundamentally change a coded process. This is f*cky at best.”
“It’s hand-wavy bullsh*t. Wyze products are dirt cheap and you get what you pay for.”
“Why are they always blaming third party ? We don’t buy cameras from or pay subs to third parties. It’s Wyzes’s problem, admit it and get it over with.”
Not the first time
It’s not the first time something like this has happened. Back in 2022, a security flaw allowed hackers to view stored video, and it reportedly went unfixed for three years even after the company was alerted to it.
In 2019, some 2.4M Wyze camera users had a large amount of personal data leaked in a separate security flaw.
9to5Mac’s Take
As we recently said, whether the issue is security flaws or price-gouging on server access, the lesson for security cameras seems clear: Stick to cameras which support Apple’s HomeKit Secure Video.
This is not only completely secure, but also value for money. Although you need an iCloud subscription to use it, the cloud storage doesn’t count against your allowance.
Photo: 9to5Toys
FTC: We use income earning auto affiliate links. More.