Home security camera company Wyze, which has over 10 million customers and is a partner of Amazon Web Services, has some unsettling news for its users.
Last week, Wyze revealed that a security issue allowed “some users” with its camera system to temporarily see inside the homes of other Wyze users, saying that it had “so far” collected 14 reports of the issue. Now, the company is admitting that the breach is far worse than it previously reported, revealing that a whopping 13,000 users have actually been affected, according to a new email Wyze sent to customers.
Related: Amazon’s Ring announces a major change, and users aren’t happy
The security issue was discovered when a service outage temporarily shut down Wyze devices on Feb. 23. The company — which blamed the outage on Amazon Web Services — found that as its team was working to bring the devices back online, some users were reporting that they were seeing the “wrong thumbnails” and footage of other people’s homes in their Events tab, which is where users can access their own camera recordings.
“We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them,” read the new email Wyze sent to customers.
The company also claims in the email that the incident was caused by a “third-party caching client library” that was “recently integrated” into Wyze’s system.
“This client library received unprecedented load conditions caused by the devices coming back online all at once,” read the email. “As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
Side shot of a Wyze Cam v2 security camera isolated on a white background in San Ramon, California, November 20, 2020.
Smith Collection/Gado/Getty Images
Wyze claims that once the issue was discovered, it “immediately” removed users’ access to the Events tab. The company also claims in the email that it added a “new layer of verification” users will encounter before accessing Event videos, and further modified its system to prevent similar incidents from occurring in the future. The investigation of the incident is still ongoing.
What makes the breach even more unsettling is that Wyze’s home security cameras give users the ability to store and save camera footage from the Events tab onto a micro SD card, which a homeowner can only have access to. The camera supports microSD cards that can hold a max of 256 GB, which can hold about two to three weeks of playback recordings.
This is not the first time Wyze has had an issue with users unintentionally having the ability to see inside other people’s homes due to a security error. Last year in September, some Wyze users reported that they were able to see inside random people’s houses when trying to access their own camera footage.
“Today using Wyze web viewer I received an error message and when I refreshed it shows I only have 1 camera ‘kitchen cam,'” wrote one user on Reddit. “I don’t have a cam named that and when I refreshed I saw someone else’s camera view. It doesn’t connect to show live view but I am able to click the events tab and see ALL the events on this random persons camera INSIDE their house.”
Wyze responded to the reports from users by claiming that the incident occurred due to “a web caching issue” where a “small number of users” were affected for about 30 minutes.
Related: Veteran fund manager picks favorite stocks for 2024