Smart camera company Wyze said that a glitch with its network last week allowed some users to see footage from security cameras that belonged to other users.
Wyze said in a post that it experienced an outage on Friday with its AWS cloud service that took down Wyze cameras for several hours.
As the company worked to restore camera feeds, a security issue emerged in which certain users were able to see thumbnails and video from cameras that weren’t theirs.
“Some users reported seeing the wrong thumbnails and Event Videos in their Events tab,” Wyze said.
“We immediately removed access to the Events tab and started an investigation.”
“We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed,” the company said.
Wyze blamed the incident on a recently integrated third-party caching client library that “received unprecedented load conditions caused by devices coming back online all at once.
As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
It added that to prevent a similar issue from occurring again, the company added a new layer of verification before users are connected to Event Videos, and is also bypassing caching for checks on user-device relationships until it identifies client libraries that are “thoroughly stress tested for extreme events like we experienced on Friday.”
“We know that this is very disappointing news,” Wyze wrote.
“It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze.”
Wyze said that all affected users have been notified and that it sent out notices to different groups of users based on whether their video was shown to other users and whether it was tapped on and viewed.
The company also said that it notified all its users about the incident and that “99.75% of all Wyze accounts were not affected by the security event.”
Wyze did not immediately respond to a request for comment.
Source