Although “a third-party caching library” is being held responsible for the security breach, the corporation admits that it disappointed customers.
The issues Wyze has with its security camera users being able to peek momentarily into other users’ houses are far more serious than we initially anticipated.
Co-founder David Crosby revealed last week that, “so far,” the company had identified 14 individuals who had been shown an image from another person’s Wyze camera, allowing them to have a quick glimpse inside someone else’s property. We now hear that the number of affected clients has skyrocketed to 13,000 people.
An email headed “An Important Security Message from Wyze” was the source of the information. In it, the corporation acknowledged the breach and apologized, trying to assign some of the blame to its web hosting provider, AWS.
“Our partner AWS caused the outage, which brought down Wyze devices for a few hours on Friday morning. It’s likely that you were unable to observe live cameras or events during that period. We sincerely apologize for the confusion and annoyance this has caused.”
But while Wyze was trying to get its cameras back online, there was a breach. Consumers claimed to have seen enigmatic pictures and videos under their own Events tab. Wyze started its own inquiry and blocked access to the tab.
Wyze is attributing the event, as it did previously, on the recent integration of “a third-party caching client library” into its system.
Devices coming back up all at once created unusual load circumstances for this client library. It muddled device ID and user ID mapping due to increased demand, linking certain data to false accounts.
However, it was too late to stop an estimated 13,000 individuals from seeing thumbnails from strangers’ houses without authorization. Wyze reports that 1,504 users tapped the thumbnail to make it larger, and some of those users were able to watch the video. Additionally, it states that over 99 percent of its clients were unaffected by the security compromise and that all affected individuals have been informed of it.
Wyze users are already expressing their fury on other websites and on Reddit. During the hack, a Reddit member going by the name of “23 year old girl” was getting ready for work. She declared herself “disgusted and upset” and threatened to delete her account. “I feel like I was violated,” she uttered.
Wyze is working quickly to address the issue, requiring an extra degree of verification before allowing users to see any photos or videos from the Events area. “The company’s email states that we have adjusted our system to omit caching for user-device relationship checks until we find new client libraries that are rigorously stress tested for extreme events like we experienced on Friday.”
The email ends with additional apologies and a recognition that most of its users, whether or not they were impacted by the incident, will find this to be “disappointing news.” However, that might not be sufficient to stop any class action lawsuits that result from this.
Here is Wyze’s entire email:
Wyze Friends, On Friday morning, we had a service outage that led to a security incident. Your account and over 99.75% of all Wyze accounts were not affected by the security event, but we wanted to make you aware of the incident and let you know what we are doing to make sure it doesn’t happen again. The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused. As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. We immediately removed access to the Events tab and started an investigation. We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. All affected users have been notified. Your account was not one of the accounts affected. The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts. To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday. We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred. We must do more and be better, and we will. We are so sorry for this incident and are dedicated to rebuilding your trust. If you have questions about your account, please visit support.wyze.com. Wyze Team.