Wyze security camera breach impacted over 900 times more people than originally thought
Remember that Wyze security camera breach a few days ago which showed 14 users images from inside other peoples’ homes? It turns out that the number of people affected was more like 13,000.
Wyze updated users on the Feb. 16 security breach via email, admitting that around 930 times more people were impacted by the incident than initially believed. The smart home company stated that approximately 13,000 users were shown thumbnail images from cameras belonging to other people, with 1,504 people actually tapping on them. This either enlarged the picture or showed the user a video from a stranger’s Wyze camera, private images that they should never have had access to.
According to the company, over 99.75 percent of Wyze’s users weren’t affected by the breach. Still, that’s around 0.25 percent of users whose privacy was violated — and 100 percent who should have renewed concerns about the security of their security cameras.
The breach occurred after Wyze’s cameras went down for almost nine hours on Friday, an outage the company attributed to their partner Amazon Web Services. The devices were mistakenly connected to the wrong users when they came back online, thus allowing people to peek into strangers’ homes.
“The incident was caused by a third-party caching client library that was recently integrated into our system,” wrote Wyze in the emails, which it also shared on its official forum. “This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
Users of Wyze’s security cameras are widely unimpressed with this explanation. Many took to social media to deride both the lapse in security and Wyze’s response, criticising the company for what they perceived as an attempt to lay blame on a third party instead of taking full responsibility.
“I really dislike it when a company tries to blame a “third party” for an oversight…” Redditor u/90TigerWW2K commented. “Dear Wyze, whether the error originated with AWS or some other third party, from the consumer’s perspective, YOU ARE RESPONSIBLE FOR MANAGING YOUR VENDORS.”
“I’m so disgusted and upset,” u/H3H3ather wrote. She was of the 0.25 percent of users impacted. “I’ve already deleted my account, but I’m feeling so violated.”
Wyze has attempted to reassure customers by adding more security to its service.
“To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos,” wrote Wyze. “We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.”
Unfortunately, it may be too little too late for some users, especially considering that this is far from Wyze’s first security scandal. A similar incident in September previously allowed Wyze users to view feeds from other people’s cameras, the company stating at the time that it would “make efforts to ensure it doesn’t happen again.” In 2022, a report revealed that Wyze had been aware of a major security breach for three years, but failed to fully fix it, recall the affected cameras, or even inform its users. And in 2019, a massive data leak at Wyze exposed 2.4 million users’ personal data, including email addresses and health data.
Security cameras can be useful, and in many cases give users an extra sense of safety. Still, you should have a good long think about whether you actually need internet-connected cameras surveilling you at home. Or, at the very least, reassess where they’re positioned.