Wyze security incident allowed strangers to see into some users’ homes
A glitch affecting Wyze home security cameras allowed thousands of users to peer inside strangers’ homes, the company disclosed Friday.
News of the breach was announced to customers with an email titled “An Important Security Message from Wyze,” where company officials acknowledged the incident while also telling users that it stemmed from problems at Amazon Web Services (AWS), an internet hosting provider Wyze works with.
The company said the AWS issue knocked Wyze offline for several hours on Friday morning. The breach occurred as cameras were brought back online, causing some customers to see the “wrong thumbnails and Event Videos in their Events tab,” the email said. “We immediately removed access to the Events tab and started an investigation.”
Roughly 13,000 total Wyze users received thumbnails from other people’s cameras and the thumbnails were “tapped” for 1,504 users, allowing their cameras’ footage to be available to others.
The company’s email said that 99.75% of customers were not affected in the breach.
Most taps “enlarged the thumbnail, but in some cases it could have caused an Event Video to be viewed,” according to the email, which was first reported by The Verge.
The email went on to explain that the security incident grew out of a “third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once.”
The company said the sudden surge in demand caused the system to mix up user device IDs and user ID mapping, thereby linking the wrong accounts with some data.
“To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos,” Wyze said in the email. “We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.”
In September The Verge reported on a similar Wyze camera breach, quoting stunned customers who had discovered they could see other users’ feeds, giving them a window into their homes.
“I am able to click the events tab and see ALL the events on this random person’s camera INSIDE their house,” The Verge quoted a Reddit commenter saying at the time.
Wyze apologized to customers for this most recent incident, saying “it does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze.”
The email also said that Wyze has “implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.