Wyze's previous technical issues caused its surveillance camera customers to briefly see other customers' residences to be much more problematic than we thought. Last week, company co-founder D**id Crosby said:"Until now", the company has confirmed that 14 people briefly saw the property of strangers because they saw images from someone else's wyze camera. Now we are told that the number of affected users has surged to 13,000.
Wyze sent an email to the customer entitled"Important safety information from Wyze"In the email, Wyze acknowledges the vulnerability and apologizes, while also trying to place some of the blame on its web hosting provider, AWS.
"The outage originated with our partner AWS, causing the Wyze appliance to go down for several hours early Friday morning. If you are trying to view the live camera during this time or"Events", most likely unable to proceed. We apologize for the confusion and confusion this may cause.However, just as Wyze tried to restart the camera, the breach happened. Customers have reported that they are in their own"Activities"Mysterious images and snippets were seen in the tabs. Wyze closes access to the tab and investigates.
As before, Wyze blamed the incident on a recent integration into its system"Third-party cache client libraries"。
The customer base was under unprecedented load due to the sudden re-introduction of equipment. Due to the increased demand, it obfuscated the device ID and user ID mappings and connected some data to the wrong account.But it was too late, and it was estimated that there was 130,000 people peeked at thumbnails in strangers' homes without authorization. Wyze said 1,504 people clicked to zoom in on the thumbnail, and several of them even snapped a clip**. Wyze also said that all affected users have been notified of the security breach, and more than 99% of customers have not been affected.
Wyze customers have already voiced their outrage on Reddit and others. One claimed to be"23-year-old girl"of reddit users were getting ready to go to work when the breach occurred, she said herself"Feeling nauseous and uneasy"and said that they would delete their account. She said"I felt greatly violated. "
Wyze is taking the time to solve the problem in the user from"Events"Tab viewing** or recording adds a layer of verification before recording. In the email, the company wrote:"We also modified the system to bypass the cache to check the relationship between the user and the device until we identified a new client library and ran a thorough stress test for the extreme event that happened on Friday. "
The email ended with more apologies, including acknowledging that all of this is for most users"Disappointing news", regardless of whether they are affected by the vulnerability or not. But that may not be enough to avoid a class action lawsuit.
Here is the full text of the email sent by Wyze:
Friends of Wyze:On Friday morning, our service disruption resulted in a security incident. Your account and more than 9975% of Wyze accounts were not affected by this security incident, but we hope you will be aware of this incident and let you know what we are doing to ensure that such incidents do not happen again.
The outage originated with our partner AWS and caused the Wyze appliance to go down for several hours early Friday morning. If you try to view a live camera or event during this time, you will most likely not be able to do so. We apologize for the confusion and confusion this may cause.
In our efforts to get the camera back online, we ran into a security issue. Some users have reported that they are:"Activities"tab saw the wrong thumbnail and"Activities"。We immediately canceled the pair"Activities"tab and start investigating.
We can now confirm that around 13,000 Wyze users received thumbnails from cameras that weren't their own, and 1,504 users clicked on them when the camera came back online. Most clicks zoom in on the thumbnail, but in some cases, users can **event**. All affected users have been notified. Your account is not among the affected accounts.
The cause of the incident was a third-party caching client library that was recently integrated into our system. The client library was under unprecedented load due to the device coming back online all at once. Due to the increased demand, it obfuscated the device ID and user ID mappings and connected some data to the wrong account.
To make sure this doesn't happen again, we've added a new layer of authentication before the user connects to the event. We also modified the system to bypass the cache to check the relationship between the user and the device until we identified a new client library and ran a thorough stress test for the extreme event that happened on Friday.
We know this is very disappointing news. This does not reflect our commitment to protecting our customers, nor do we reflect our other investments and actions in recent years that have made safety a top priority for WYZE. We established a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and conducted multiple third-party audits and penetration tests at the time of this incident.
We have to do more and better, and we will. We apologize for this incident and are committed to rebuilding your trust.
If you have any questions about your account, please visit Supportwyze.com。
The Wyze Team.