A service outage at smart home security camera maker Wyze has led to a security breach, and 13,000 Wyze users received access to camera event recordings from other users.
According to the Wyze support team on a public forum via the company’s website, a service outage that originated with AWS took down Wyze devices for several hours last Friday morning. Users reported being unable to view lives cameras or events during that period.
However, as the company worked to bring cameras back online, some users reported seeing the wrong thumbnails and video events in the Wyze app. The company says it immediately removed access to the Events tab and began an investigation into the issue.
According to Wyze, about 13,000 users received thumbnails from cameras that were not their own. Of those, 1,504 users tapped on them. Most taps simply enlarged the thumbnail, but users could have accessed an event video.
The company, which posted the emails it sent users, says the culprit was a third-party caching client library that was recently integrated into our system.
2024 Lighting Controls and Fixtures Report
Lightapalooza took place in late February, and the growth of the event has mirrored the rapid ascension lighting fixtures and controls.Download your copy now!
“This client library received unprecedented load conditions caused by devices coming back online all at once,” the company’s support staff said in an online forum. “As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
Overall, the incident affected “a little less than 0.25%” of Wyze users, the company says.
To fix the issue, Wyze has added a new layer of verification between users and event videos to prevent it from happening again. The company has also removed the client library and will not be using caching until it can find a new client library and stress test it for extreme scenarios like the one on Friday.
The outage was first reported Friday morning at 6:31 P.T., and by 10:00 a.m., metrics began showing improvement for device connection recovery. At 11:28 a.m., Wyze reported continued improvement, but noted that it was disabling the event tab to investigate the security issue.
In 2019, Wyze reported another security incident in which unauthorized access was made to a database that included Wyze nicknames, user emails, profile photos, WiFi router names, a limited number of Alexa integration tokens, and other information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!