Once again, Wyze camera leaks feed of other users to 13,000 customers
Learn More
Wyze experienced a significant security leak following a system-wide outage on 16th of February 2024. The breach allowed at least 13,000 users unintended access to other customers' home video feeds.
The root cause of this issue was attributed to a glitch in a third-party caching client library recently integrated into Wyze's systems, which failed to handle the surge of cameras reconnecting simultaneously after an outage initially caused by an issue with AWS (Amazon Web Services), leading to the downtime of Wyze devices for several hours.
During the outage and the subsequent recovery process, a mix-up in device and user ID mappings occurred. This resulted in the wrongful assignment of video feed thumbnails and Event Videos to the wrong user accounts within the Wyze app, particularly under the Events tab. As cameras reconnected, about 13,000 users received thumbnails from cameras not belonging to them, and 1,504 of these users proceeded to tap on these thumbnails. While most taps simply enlarged the thumbnail image, there were instances where tapping led to the viewing of another user's Event Video.
Wyze disabled access to the Events tab in their app and launched an investigation to understand and rectify the issue. The company has taken measures to add an additional layer of verification for users attempting to view video content via the Events tab. Moreover, Wyze has made adjustments to their systems to prevent caching during the verification of user-device relationships, pending a switch to a more reliable client library that can withstand high-demand scenarios like the outage experienced.
Wyze has communicated with affected users via email, apologizing for the inconvenience and potential privacy invasion caused by this incident. The exact number of users who had their video surveillance feeds fully exposed has not been disclosed by Wyze.
