We had one of our cameras hacked - someone was yelling through the camera. We’ve since changed passwords and added two point verification but what else can we do? Has me thinking that these wyze cameras are not secure or safe to have. Thanks
Hello @Tyler03 and welcome to the community
The issues I have seen with most cams getting ‘hacked’ is more the account being compromised. So changing your password and setting up 2FA are good things. I would also make sure your password is nothing easy and nothing you use as a password for anything else.
WYZE does take security seriously and I feel the cams are as safe as can be, the weak point is the account and how secure people keep it.
Interesting. I haven’t heard too many reports of actual camera-hacking in the real world. If you have a family member – especially a teenager – with access to your phone or account, that would be my first suspicion. Sounds like a prank. But as @WyzeJasonJ mentioned, your camera and account are only as secure as your security methods. It’s important to use strong passwords that you don’t use for other services, and 2-factor authentication can also help. Other than that, of course, the security of the devices you use to access the camera are super important as well. If someone knows your phone passcode, for example, it would be easy to grab your phone and prank you like this
Welcome to the community, @Tyler03. Thank you for reporting this. Changing your password and turning on 2FA were good things to do. Both of the Mavens are spot on with what they are saying. It’s very possible your account was compromised, and the camera itself was not hacked. I would recommend checking any other accounts that you might be using the same username and password with. Change all of them to unique passwords, and don’t reuse the same passwords you have used anywhere else. We will let Wyze know about this.
Too bad you can’t change your username at Wyze.
just a tip for passwords, use a password from another language OR use accent letters from another language in your password. for typing these words in the other language you could download another language for your keyboard or just copy paste using google translate
example english on the left and german on the right. the word BIG in german uses a "symbol"letter for what would be their double S. something rather unique for an english speakers password.
I must admit, I dont use this on my Wyze account but I do on many other accounts I have without issue. it’s just a thought, something that might help you secure your account even more.
The mods let me know about this post. Thank you for reporting this and sorry to hear about the situation! It sounds like you’ve already taken the security precautions that we would recommend and you should be set. With the encryption that the live streams have (where someone would be using the 2-way audio), it is pretty unlikely that this was a hack as opposed to an account access situation.
If you also want to change your username, you can make a new account with a different email and set up your Wyze products using it. However, with the password change and 2FA, that one is up to you.
Have you contacted our customer support team? We’ll be back in the office tomorrow.
Yes I contacted them yesterday. Will they be able to tell me exactly how or what happened?Thanks
Do you have continuous recording enabled? Is there video of this? Do you share your camera with anyone or share your main login with anyone?
Edit/removed redundancy…
I’m not sure if they will or not, but it wouldn’t surprise me if they can’t for privacy reasons. Think about it like this: If someone did steal your info, it might be hard for Wyze to prove that you’re the rightful person who should have access to that information. You could just as easily be the person who stole that person’s info, who is now looking to cover your tracks or discover how much info they might have on you.
That’s not an accusation, of course. I’m sure everything you’ve said is true. It’s just that it would be difficult to prove, and if someone were trying to gain more access or info about you through social engineering, they might use this type of tactic. That’s why this is precisely the type of thing you wouldn’t want a company to do.
Anyway, they’ll be able to tell you what info they can share for sure.
While this is certainly bad for you,I’m glad you posted about it. It was kind of a service to others as a reminder to double check security, who has access, etc. In fact, I had been meaning to increase security for a while now and because of your post I enabled 2-factor authentication and upgraded my password to a random letter/number/symbol secure password generated by my LastPass app.
2-factor works really well, a short time after changing the password, it kicked my two tablets off that I have mounted as 24/7 monitors. When I logged back in with the new password I got the 2-factor text on my phone with the code near instantly.
One other thing people may have to do is check anyone else that you’ve shared with. Changing my main account password didn’t seem to effect my wife who I shared everything with for viewing. Shared accounts are pretty restricted as far as making changes, etc, but I enabled 2-factor authentication on her email sign-in as well, so if someone ever got her email address/password combo, they couldn’t log in to view the camera stream.
@UserCustomerGwen @nerdland how can international users without access to 2FA protect ourselves from this? Is proper 2FA coming anytime soon?
If you create good strong unique password you should be safe, and then you could change the password often to be even safer
14 posts were merged into an existing topic: Allow Canadians/Mexicans to buy direct from Wyze
Unauthorized account access due to weak or compromised credentials is not the same thing as “hacking.” If someone enters a correct username and password into the system, it’s obviously going to give them access.
True, hacking is the automated scripts to find the compromised accounts. Just pointing out this is an User Issue in most cases.
Very rare it’s a “hack” versus a user having an easy password. Always use strong passwords and never use the same password more than once. Setup and use MFA if it has the feature.
Notice: This post is for folks who aren’t familiar with 2FA, Password Managers, and VPN.
As far as password security, 2FA is awesome. However, having a strong password is essential. I use a password manager which lets me create passwords with one click and as lengthy as I want with unique characters. Here’s an example: 4QHzm%7vVrFxZw$cSArh^zEz92u8RV
A good password/security setup would be like this:
- Sign up for a password manager account with the company of your choosing (Lastpass, 1password, Bitwarden, etc.)
- Create a strong master password for the password manager account and activate 2FA.
- Use the password generator in your password manager to create passwords like the one I posted above.
- Do not reuse/share passwords. Create new strings for each account.
- Change your passwords for all your online accounts; I know this might be a long choir but you can do it when you’re accessing each account. Before long, you’ll have them all changed. Sadly, US banks (at least the ones I deal with) still rely on SMS verification instead of 2FA so the accounts that should have the most security actually have the least secure verification method. Sigh. Oh, if you’re not aware, SMS can be intercepted and hijacked.
- I highly recommend that you sign up for a VPN service, especially if you use public wifi networks like in airports, Starbucks, etc… To keep it simple, a VPN masks your IP (think of it as your digital ID) by routing all your web activities through the VPN service’s servers before sending the traffic back to your device. For example, you visit wyzecam.com without having a VPN. Wyzecam staff would be able to see your IP and tell where you are connecting from. If you had a VPN, you connect to wyzecam.com and they will see the IP of the VPN server and not your actual IP address. Of course, your online browsing is anonymous as long as you don’t sign into an account that might have your real info.
- Use a browser that respects your privacy like Firefox. Steer clear from Google.
My personal software recommendations:
- for password managers: Bitwarden. Why? It’s open source and is reviewed by qualified developers. You can also host the software on your own server if you distrust having your passwords saved on some company’s cloud servers.
- For 2FA: AUTHY. Why? You can install Authy on multiple devices so if you lose your phone, you won’t lose access to all your accounts. I have it installed on my phone and PC. I also use their backup feature which saves the 2FA codes in the cloud.
- Browser: Firefox. Why? I have complete control over the privacy settings unlike with other browsers. Not to metion, it’s faster and less of a resource hog than Chrome.
- VPN: Torguard or PIA. Why? Both are excellent services that don’t actually keep logs.
- Email: Zoho Mail if you use free email. If you can afford it, get ProtonMail. Why? Email encryption.
- Payment methods: Privacy.com. Why? It lets you create virtual cards with specific spending limits. You can also use ANY billing/shipping address, and even the name on the card doesn’t have to be real. It’s great to minimize the risk of debit card theft. It’s free to use as they take a portion of the processing fees from the seller. It’s like Paypal but better.
Whatever you take from this, please follow these no matter what:
- Use 2FA if possible.
- Don’t reuse the same password on online accounts.
- Don’t use Gmail.
Last tip: If you need help finding alternatives to Google services, visit this website for a nice list:
Hope this helps!
The core problem with hacking is it is the user’s fault. Yes, good developers and companies will anticipate the various ways users will not be smart, and correct for this… but bottom line is if you get hacked, it’s your fault.
So how to you prevent ever being hacked? I’ve been developing software and using a computer for 37 years. Here’s my 2 cents:
- Use a password manager and let it assign all your passwords. You only need to remember one then. And no passwords are repeated on all your other sites then, and you can specify to make them complex and strong. BUT for your one/main password, make that one password as long as possible. Seriously, at least 16 characters. 24 is even better. And before y’all complain “I can’t remember that”… it’s not hard to take a familiar 4-character password and repeat it 4 times and vary it each time a bit, or your favorite 8-character password and repeat it 2 (or 3) times. For example… “pony” becomes “ponyPonyPONYpony”. or “Light123” becomes “Light123Light123” or “Light123Light321”. If you throw in just one special character, that’s an added security bonus and multiplies your complexity.
- But, it’s not the complexity that really matters, as most “experts” tell you. You DO NOT NEED special characters and all the other junk they force you to use. LENGTH of password is CRUCIAL. If you had a special-character password of 8 characters, and I had one using just normal letters but 16 characters long, your password will be hacked LONG before mine will.
- all of these people on the news with their Ring cameras getting hacked… it was their fault. They did not care about security AT ALL and ignorantly used some simple username and password that they’ve probably used on a hundred other sites. Don’t fall into this trap.
- If you are up to it, or know someone who can set it up for you… you really should think about separating all your smart devices (TV’s, cams, appliances, etc) onto a subnet for your home network. That way, in case any of them are breached (they have far less security than your phone or laptop), none of your valuable devices are compromised on the main network.
- At least twice a year, you should change all your passwords. If you use a password manager, this is very easy. Why? well, in case one of your smart devices was hacked, the hacker could have placed a small bot in it to expand a botnet and do some dirty work for the hacker (including constantly eating your bandwidth or probing your network to get at your personal data, or even using your resources to help them commit cybercrime!)
Moral of the story? Use a long password. Don’t repeat any passwords for any accounts you have, so use a password manager to keep track of them. Try to use different login ID’s if you can also. Enable 2-factor authentication whenever and wherever possible!