Wyze Outage and Investigation of Security Issue

Cofounder of Wyze here. As you know we had an outage this morning driven by an issue with our partner AWS. Cameras are starting to come back online for live viewing, but we are now restricting access to the Events tab while we investigate a possible security issue. We’re so sorry and will get your cameras fully recovered as soon as possible! We will also share results of our investigation.

Mod Edit: Adding update posted Feb 19 at 10:27 AM PT

Mod Edit: Adding update posted Feb 16 at 3:35 PM PT

Update and early investigation results: After an AWS outage this morning, our servers got overloaded and it corrupted some user data. We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab. Fortunately, they were not able to view live streams or watch these videos, only the thumbnails were visible.

So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users. These affected users will be notified asap. We will also send notification to all Wyze users explaining what happened.

As soon as we saw these reports we took down the Events tab. We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens.

We will explain in more detail once we finish investigating exactly how this happened and further steps we will take to make sure it doesn’t happen again. Again, we are very sorry for the inconvenience today. Thanks to everyone who helped report incidents and helped get devices back online. Our deepest apologies to everyone affected.

Mod Edit:
We have an update containing emails sent to both affected and unaffected Wyze users with more details. The thread can be found here:

Was the security issue only with events or events notifications? We had a Cam Pan that started moving on its own near the time that cameras were starting to come back on line, was live feed also compromised?

I heard a v2 cam rebooting itself repeatedly (4-5 times) at about 4-5a Pacific.

No widespread reports of this, I do not think it is related. Possible the camera was rebooting?

Sure Jan! Just report back to your long-time Customers, (2019 here) what consolation services will you provide, for those of us who suffered severe security issues THANKS to your leaky anti-hack defenses. We’re all waiting…

I heard a v2 repeatedly rebooting at 5AM Eastern. Which is what prompted me to check my local system status. Which is what led to discovering a larger issue in the cloud.

ALL MY DEVICES went completely OFF LINE for hours, early am 2-16-24 during crucial surveillance time frames. Expect WYZE to issue an honest robust Report. Thanx

They’re pointing the finger at AWS…again.

And if the metrics can show improvements, why can it not show when it’s down?

Could be that the camera was resetting, this was around 09:30am PT

Please tell me the events will come back. We had an incident in the neighborhood today and we believe the camera captured it and it may need to be turned into law enforcement and now cannot access it!

Based on threads in Reddit, I think the security issue was people getting events from other people’s cameras. If that’s true, and I have no first hand experiences to confirm, then it really needs time taken to be sure it’s fully fixed.

4pm CST and none of my devices will connect…still.

Thank you for the update! Of course today of all days we actually need footage. Hopefully we can get it back in the next few days to forward it.

SD Cards in cameras? If so, you probably have what you need. May need to pull the card from the cameras to access it if you need it quickly.

Hi folks -
My Wyzecam V1, Pan v2, and Outdoor cameras have all reconnected.
However, my Wyzecam v3 sits at “Ready to connect” and will not scan the QR code.
I tried using a screenshot of the QR code on my PC as suggested in an old post, but no luck.
I’ve tried multiple times, with minutes and hours between attempts with the camera powered down.
I have to assume this is related to the outage somehow, unless anyone has other ideas.
Thanks!

Greetings,

I do appreciate your communication.

I have a serious question for. you however. I own a Cubby bed for my special needs child, and the electronic package comes equipped with a Wyze V3 cam for monitoring.

In light of the resurfaced issue of non authorized parties capable ofviewing my 3 year old special needs toddlers events in his bed are disturbing.

Can you please tell me if my toddler has been exploited by this security bug, and if so how many times.

I have made cubby aware of the situation so hopefully between WYZE and cubby there can be more protection for the children?

Thank you.

Security questions about your individual account can be asked and investigated by sending an email to security@wyze.com

If you’d like someone to answer about your account, I would reach out there and they can review things for you.

Update and early investigation results: After an AWS outage this morning, our servers got overloaded and it corrupted some user data. We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab. Fortunately, they were not able to view live streams.

So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users. These affected users will be notified asap. We will also send notification to all Wyze users explaining what happened.

As soon as we saw these reports we took down the Events tab. We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens.

We will explain in more detail once we finish investigating exactly how this happened and further steps we will take to make sure it doesn’t happen again. Again, we are very sorry for the inconvenience today. Thanks to everyone who helped report incidents and helped get devices back online. Our deepest apologies to everyone affected.

Thank you for the update and the action taken thus far, I appreciate it