Image: © Jason/Stock.adobe.com
In an update yesterday, the Seattle-based company blamed the breach on a third-party ‘caching client library’ that was recently integrated into its system.
Wyze, a US company that makes smart home security cameras, has said that a breach of its systems briefly allowed around 13,000 people to see into the homes of other users.
In an email to users posted on its website yesterday (19 February), Wyze said that it had experienced a “service outage” last Friday which led to the security incident – but that more than 99.75pc of users were not affected by it.
“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused,” the company wrote.
“As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. We immediately removed access to the Events tab and started an investigation.”
Wyze confirmed that about 13,000 users were inadvertently given access to the cameras of other households after receiving thumbnails from cameras that were not their own and that more than 1,500 users “tapped on them”.
“Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. All affected users have been notified,” the company went on, blaming the breach on a third-party “caching client library” that was recently integrated into its system.
2/16/2024 7:24 AM PT – We are aware of an issue with our AWS partner which has impacted device connection and caused login difficulties. We are taking steps to mitigate the problem on our end as we work with AWS to resolve the issue.https://t.co/jMQZrPQ8tg
— Wyze (@WyzeCam) February 16, 2024
“This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
This is not the first time an incident of this nature has occurred at Wyze. In September last year, some security camera owners reported being able to see webcam feeds that weren’t theirs. Wyze blamed this on a web caching issue at the time.
“To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos,” the company wrote in its update yesterday.
“We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.”
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.
