Wyze, the popular smart home device manufacturer, has fallen victim to a security breach that compromised thousands of users’ privacy. The security lapse, originating from a third-party client library, caused around 13,000 users to receive thumbnails from cameras that did not belong to them, with 1,504 users unintentionally tapping on them.
The incident unfolded on Friday morning, stemming from a service outage from the company’s partner, Amazon Web Services (AWS). While most taps merely enlarged the thumbnails, in some cases, unauthorised users could view Event Videos.
During the outage, which lasted several hours, Wyze users could not access live camera feeds and event logs, causing significant inconvenience and confusion. However, the situation escalated when a security lapse occurred during the restoration process, leading to unauthorised access to user data.
“We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own, and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases, an Event Video could be viewed. All affected users have been notified,” said the company in an email to the affected users.
The incident’s root cause has been traced back to a third-party caching client library recently integrated into the Wyze system. This library, under severe load conditions caused by a surge in device reconnections, mixed up device ID and user ID mapping, connecting some data to incorrect accounts.
In panic and confusion, Wyze added a new layer of verification to prevent unauthorised access to Event Videos and modified the system to bypass caching for checks on user-device relationships until thoroughly tested client libraries were identified.
“We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred,” reiterated the company.
In the News: Fake BRICS crypto token is capitalising on fake geopolitical narratives