Wyze camera breach allowed 13,000 people to spy on strangers

Smart camera maker Wyze has disclosed that some users last week were able to see footage from cameras that were installed in other homes. The firm blames the security glitch on its cloud computing partner, AWS.

In an email to users and more updates on its website, Wyze, the maker of cheap smart cameras, said that the outage last Friday lasted several hours and briefly left camera footage inaccessible.

While the firm was working to bring the devices online, around 13,000 users saw wrong thumbnails from other users in the Wyze app, the email said. About 1,500 users actually clicked on them and were able to see the footage from other people’s homes.

“Most of these taps enlarged the image, but we found a few cases with things like Cam Plus Lite and sound detection events where the thumbnail was attached to an event video and the video was viewed,” said Wyze.

The company is blaming the incident – now fixed – on “a third-party caching client library, the Amazon Web Services (AWS). The system allegedly “received unprecedented load conditions caused by devices coming back online all at once” because of the surge in demand and mixed up IDs between devices and users.

To prevent a similar issue from occurring again, Wyze added a new layer of verification for users to see thumbnails and videos and, of course, notified the affected users. The firm stressed that “99.75% of all Wyze accounts were not affected by the security event."

The problem is that this isn’t the first security incident that’s hit Wyze. In September 2023, another web caching issue left the feeds of 10 users viewable to thousands of strangers.

And in 2019, a data leak exposed millions of user email addresses as well as the email addresses of people who were given permission to view the camera feeds.

That’s why Wyze’s public repentance doesn’t seem too convincing: “We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze.”

Still, other smart camera makers have also been facing issues. In 2022, Amazon had to urgently fix a vulnerability in its Ring app that could have exposed users’ personal data, location, and camera recordings.

In 2019, a hacker accessed a family’s Ring camera and told their 8-year-old daughter he was Santa Claus. The man also encouraged the minor to destroy the room. Ring claimed that the hacker did not actually gain access to the camera through a data breach.