Wyze

Wyze outage led to the cameras of 13,000 customers being shown to other users

Ben Schoon | Feb 19 2024 - 8:15 am PT

It’s, unfortunately, increasingly common for security cameras to have a glitch that exposes data from one user’s system and have that data show up in someone else’s app, but when it does happen, it usually has a minimal impact. Wyze, though, has confirmed that a recent outage led to the cameras of 13,000 customers being semi-accessible to other accounts.

Last week, Wyze users experienced a major outage that took down camera feeds for several hours. The outage was attributed to a problem with AWS, Wyze said, but as the cameras came back online, some users started to notice camera feed thumbnails that weren’t from their own cameras.

Wyze confirmed over the weekend that, yes, camera thumbnails were accidentally accessible from other users’ systems for a brief period. The thumbnails were seen in the Wyze app’s “Events” tab and showed images, not full clips, from cameras that were not from a user’s own cameras. The company at the time mentioned to The Verge that the issue had been reported by just over a dozen users, but the actual impact was far greater.

In a round of emails sent to Wyze customers overnight, Wyze explains that this thumbnail issue affected roughly 13,000 customers. Thumbnails from other accounts were sent to that huge number of Wyze owners, and the company says that just over 1,500 of those users tapped on the thumbnails from other users. Wyze explains on its forum that the emails were sent in three variants. One email was sent to all customers unaffected by the issue, one sent to those affected, and a third to users whose thumbnails were not only visible to others, but were tapped on to be enlarged.

That led to some uncomfortable situations, including from one Reddit user (a 23-year-old woman) who was “getting ready for work” during the outage.

In the email, Wyze explains that the issue was caused by a “third-party caching client library” that was “recently integrated.” The system had trouble handling all of Wyze’s cameras coming back online at once after the outage was resolved which led to “mixed up device ID and user ID mapping.”

Wyze also notes that, to “make sure this doesn’t happen again,” a new layer of verification has been added before users are connected to event videos.

The email reads in part:

We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. We’ve identified your Wyze account as one that was affected. This means that thumbnails from your Events were visible in another Wyze user’s account and that a thumbnail was tapped. Most taps enlarged the thumbnail, but in some cases it could have caused an Event Video to be viewed.

The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.

This isn’t the first time Wyze has had this issue. Just last year, a similar issue allowed see not only thumbnails, but full videos from other user’s systems. That issue was attributed to a “web caching” problem. Prior to that, Wyze confirmed in 2022 that a security flaw could allow hackers to access all video stored on a Wyze camera’s SD card. The company knew about the problem for three years before fixing and disclosing it, and left older hardware vulnerable by not providing updates.