Update 2/19/24
Hey all,
Our teams have been very hard at work all weekend and I wanted to provide a quick update about what we’ve uncovered about the security event that happened on Friday, though you’ve likely already seen communication from our teams in other places. We have sent out official notifications to all users whether you were affected or not. You can see the emails we sent here:
We had a caching issue from a third-party caching client library that was recently integrated into our system. It got overloaded after the outage Friday morning and got wires crossed while trying to come back online.
Here’s the high level stats.
About 13,000 users received thumbnails from cameras that were not their own. 1,504 tapped on those thumbnails. Most of these taps enlarged the image, but we found a few cases with things like Cam Plus Lite and sound detection events where the thumbnail was attached to an event video and the video was viewed. Videos from live streams were not affected. Overall, this event affected a little less than 0.25% of Wyze users, including users who received thumbnails and users who had their thumbnails sent to a different account.
As I mentioned in my other posts, our engineering team has added a new layer of verification between users and event videos to prevent this from happening again. We’ve also removed the client library and will not be using caching until we can find a new client library and stress test it for extreme scenarios like we saw on Friday.
This investigation is not wrapped up yet, we will continue to discuss as a leadership team and evaluate what needs to change to better protect our users. I do want to thank everyone who has helped us with reports and logs to properly identify the issue and the affected users. This has been an incredibly stressful weekend for all and we are grateful for your help and so sorry that this happened.