Home surveillance company Wyze announced a glitch caused some 13,000 customers to see each other’s camera footage on Friday, according to a report in The Verge. The company originally disclosed the breach last week, but said it had only identified 14 affected customers. As it turns out, the tally adds up to a few more than that. It’s another in a growing number of full-blown security disasters at a company that makes security its entire business.
In an email to victims, Wyze said the problem started with an outage at Amazon Web Services (AWS), which provides the company’s cloud computing services. Wyze went on the blame the issue on a “third-party caching client library” that failed as its services came back online.
“On Friday morning, we had a service outage that led to a security incident affecting your Wyze account. The outage originated from our partner AWS and took down Wyze services for several hours,” the email said. “About 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them.”
Most of the time, that only unveiled still images, but some users were able to see video footage, the company said. Wyze said it’s already alerted every user who experienced the problem, and over 99% of its customers were unaffected.
This isn’t the first recent security crisis for Wyze. In September of 2023, A near identical problem let people see other users’ Wyze footage. Previously, Wyze disclosed that it knew about a critical flaw that left its security cameras vulnerable to hackers, but the company ignored the problem and kept it secret for three years. It was bad enough that Gizmodo recommended that Wyze customers stop using their cameras in 2022.
Wyze apologized to users, and admitted the email must be “disappointing news.” The company didn’t immediately respond to a request for comment.
According to Wyze, the problem stemmed from “a third-party caching client library” that the company recently added to its platform. “This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts,” Wyze said in the email. Amazon did not provide an on the record comment for this story.
