Account compromised - new login detected

Wife woke me up after she recieved an email from wyze indicating a new login. She asked if i let my brother access our cameras to check them out. I told her absolutely not.

4 hours later I am awaken by some foreigner screaming obscenities in my camera.

I unplugged the camera and changed passwords to my account and my wife login.

How common is this and how does it happen? I will say that i am glad for the email notification from wyze. But a little nervous now.

3 Likes

Welcome @sean.kendrick , sorry to hear this.

I would reach out to Security@Wyze.com for issues like this.

If you don’t have 2FA - Two Factor Authentication turn on, I would definitely do that as well.

Also, make sure your App is the up to date and your Cameras Firmware is on the latest version.

2 Likes

I want to add here that the most common reason for this type of thing is re-use of passwords. If you used the same password on another site, and that password was leaked, then hackers use “credential stuffing” to try that password on many other sites and eventually can break in (especially if 2FA is not enabled).

4 Likes

Any idea why some random foreigner screaming obscenities?

I have no idea? They just kept saying wake up MF this india… We’re from india… We logged into your camera… Real heavy accent. They dropped a couple of more F bombs, Followed by some laughter, and then I unplugged the camera changed all my passwords and took the necessary precautions.

Shucks… for all I know it was you…lol

why were you yelling obscenities?

I would agree with what Loki said about password re-use. That is so common because lets face it, people are lazy or don’t what to remember lots of different passwords. I’m NOT saying that you did so, but it is VERY common.

My standard recommendation these days. Use a password manager and over time change every password to something unique, long and complicated. Particularly for anything financial, make the new password as long as that web site will allow. Big advantage of using a Password Manager is that it does not matter how long and complicated a password is. 40 characters of cryptic garbage is really hard to crack. Never re-use a password on anything critical. Same thing goes for web sites you do not fully trust. For example, I don’t trust any Chinese website. Those have always had unique passwords.

One more thing about most Password Managers. You can put things other than passwords in most PMs. For example, that 800 number on your credit card to call for customer service. If the card gets lost or stolen, how do you call the phone number? Yea, it’s on your bill, but that’s at home. My PM is accessible on my phone, and the 800 number in stored in the PM.

4 Likes

just turned on 2FA… and I think it will make the difference… every time someone logs in i get a code to my phone #.

3 Likes

I use KeepassXC. It’s free and open source.

there have been some pretty big credential thefts as of this year already. at&t and american express just to name a couple. you did the right thing right away.

2 Likes

Yeah, thanks AT&T. :upside_down_face:

3 Likes

bingo.

yet another reason it is stressed far beyond Wyze to not re use credentials across sites or apps.

I’m fairly certain thats what lead to someone being able to get my info and open a card in my name last year…I have learned well! :slight_smile:

2 Likes

Agree, but 40 characters really isn’t necessary. With 14-16 characters that include upper and lower case letters, numbers and symbols, you’re pretty bulletproof.

That is until quantum computing encryption breaking becomes widely available. Then we’re in trouble.

4 Likes

Agreed that 40 character is not needed - I was making a point. With the Password Manager it is as easy to use a 40 character password as 6 character password (other than some websites won’t accept that long of a password - and often wont tell you). My relatively low security stuff is in the low-teens, but things like banking and other financial is all well into twenties of cryptic garbage - with 2FA as well. My PM will also tell me if I am re-using a password.

1 Like

This table is a good reminder of why you shouldn’t reuse your password no matter how good of a password it is:

Still, regarding how long it takes to crack a normal password, add any kind of 2FA into the mix and that chart becomes exponentially higher. For example, I may have a password I use leak, but if the company I connect to uses an extra factor like only accepting the password from a previously “approved device” then even if it’s a super simple password, they can enter the password all they want, and it will never do them any good. Similar with using Authenticator apps. By the time they can bruteforce 5min-10min worth of a valid hash, the approval is already changed and they basically have to start from scratch again with another 5-10min window of guesses (often including a 30-second timeout window).

Believe it or not, things are actually improving lately:


There are some pretty cool quantum-resistant techniques being developed, but the challenge will be getting widespread implementation.

I suspect Quantum computers will get used by intelligence agencies (from multiple countries) years before anyone really knows about it. Things don’t often change first until there is a scandal first.

1 Like

How is this one, with the ease of being able to switch languages on keyboards nowadays, I actually set my main password in one language, and then I’ll use accents that don’t match that language from another language :slight_smile:

In my head that seems far more exotic and encrypted although I could very easily be wrong.

Nobody’s (at least not more than 14 people) are going to use a German accent over a very United States English word lol

Oh boy…you’re getting me started…

You could buy your own domain, any domain and then use a different email for every login in a way that matches that domain somehow. So like your Wyze login would be BamWyze@[domain] or WyzeBam@[domain]. Then take it a step further and use it in a way that is less obvious, like instead of using the word of the website you’re logging into Knock it up 2 letters or something, so it could be YabgBam@[domain]. Then you always know what your login is, but it’s always different. Add a number or symbol to it doing some similar algorithm that you standardize. Then do something similar with your password(s). Choose some core password that is nonsensical and long but only you would remember. Maybe it involves some number you have memorized but altered in some way, plus a few words, again possibly altered in some other way, maybe involving reversals or overlaps of other words/numbers/symbols but in a standardized way. Then have algorithmic uniqueness for each log in such as described above for the user name (ie: maybe take the second letter in the website name and go up or down a certain number of letters. Or maybe move the first letter up 1 letter in the alphabet [ie: w becomes x) and the second letter down 2 (y becomes w), the third up 3 (z becomes c), the 4th down 4 (e becomes a), etc and don’t put them all at the beginning or end, but space them out in your password. Something easy for you to remember algorithmically but without having to remember every character for every website. Then go back and add selective null characters in specific random positions just to throw a wrench in any pattern recognition (maybe an x or q or certain symbol every x characters to break it up). Bonus points if you know a second language and can custom jargonize it (which I do) and not have it all in left to right or right to left entering. You can stagger words such as if you would remember 2 words like “hello” and world" then you do hello and then world backward. You type hello first, then at the end you type w [back arrow twice] o [back arrow twice] r [back arrow twice] l [back arrow twice] d --Then it looks like this: hello forward (highlighted in green for convenience), and world backward and staggered:

hdellrloow

That is nonsense to most brute forcers already, but then you add null letters to add chaos (maybe after every other vowel in the alphabet or every prime number number of characters) and numbers and symbols that are all meaningful to you and different letters or whatever based on the website/platform but complete nonsense to anyone else or a bruteforcer. Now just do something like that which is long and you can remember any long password as complete nonsense and have it be different for every login without having to remember them all because it’s a personally tailored algorithm. But…only do that for sites that you have to MANUALLY enter a password often. For ones that can autofill, use a password manager.

And that’s just for beginners :slight_smile:

Honestly, I have some passwords that are so algorithmically complicated beyond what I described above, I can’t linearly tell you what my password(s) are…but I can figure them out by following a set algorithm that only I know the key to. That’s not to say that I trust this method 100%…I still use things like 2FA (and password managers for certain things that can autofill), but I am just saying that having some pattern in place, even a simple one like adding the first letter of the website you’re logging into, can, nearly by itself, totally kill off 99.99% of the risk from Credential stuffing because the password will be slightly different on every login you use, and they aren’t accounting for any of that. They’re just having a bot copy the same PW that leaked and pasting it verbatim into every other company’s websites until they find one you reused that login/password for. If you didn’t reuse the EXACT same password anywhere, then it almost doesn’t matter when it leaks. But the more difficult you can make it to figure out the algorithm in your head, while keeping it simple enough for you to remember/figure out, the better.

But honestly, best option is to only do an algorithmic password like that for a Master password and for certain rare logins that you have to remember and manually type in a lot (ie: it won’t autopopulate from a PW manager, and you don’t want to have to keep logging in to look it up, etc)

For anything that can just be autopopulated by a password manager, definitely use that instead. The more random generated passwords, the better.

I’m just saying the above for certain limited use cases. I totally agree with the standard suggestion to generally use a random generation from a password manager if it can auto-fill solely from a trusted device.

3 Likes

I check occasionally with Steve Gibson’s Password Checker Haystack

I also use a password manager so every password is unique. So easy and convenient.

1 Like

Haha, I’m too paranoid to enter in my actual password(s) into an online site that might store and save and use/check said passwords themselves in their own bruteforce training data or something. :joy: But it is possible to use altered versions.

The “Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second)” is just plain scary. Thankfully it’s currently an exaggeration. I believe the best supercomputer equipped with a massive cracking array could still only get 350 billion guesses per second…but that’s still insane. Not that anyone could or would devote that much processing power to anything short of extreme national security, so that rules me out.

I know some people who, when their password leaks, they just increment it in some way, but the base PW is the same in some way or contains some of the same words, and brute forcers now give priority for all passwords that have ever leaked as if they are their own character, and then substitute common alternates in them, like zero for O, or a 4 for A or any other kind of standard 1337 5p34k spelling. common substitutions are not really all that complex to smart bruteforcers anymore. People think they go linearly through the keyboard until they find it, but truth is that most are now programmed to give priority to alternative spellings with numbers/symbols and iterations on passwords that have ever existed/leaked. So if your password has ever leaked or the root has ever been used by anyone, you need an ENTIRELY new password or it’s easier to crack than you think.

I had a long time friend (since JR High and through College) who actually worked for a security company who was involved in research doing this and programming them out to be able to take brute force shortcuts through machine learning like this (and this was at least 2 decades ago when he was working on that, let alone the machine learning advancements on it in the last 2 decades). So in a lot of ways, all of these “It will take X Years” to guess your password calculations aren’t taking the machine learning brute forcers into account that have learned to mostly ignore certain character patterns are highly unlikely and deprioritize them, thus saving it the computing power from most of those guesses and cutting the time needed to find the PW exponentially shorter…and worst case scenario it will guess the low likely options toward the end or on a de-prioritized core just to make sure they are still covered eventually…

Crazy to think that even brute-forcers even use machine learning/AI…

Agreed. I entered some test password generated by my password manager that are quite lengthy and found them much better than my own concoctions. I definitely learned to use unique passwords and it is quite easy with a secure password manager,

2 Likes