In our ongoing commitment to security we wanted to share details of a mistake we made on Friday, September 8th that affected 10 people and was immediately resolved. We’ve completed an internal investigation and would like to share details of what took place and what we’re doing to prevent it from happening again. We take security extremely seriously at Wyze and work as hard as we can to give users peace of mind and earn your trust. Here’s how we fell short of that last week and what we’ve done to make sure we do better going forward.
On Friday September 8th, an engineer was fixing a bug on our online web viewing portal, view.wyze.com. In the process of deploying the fix, the wrong cloudfront caching setting was selected. Simply put, it crossed some wires in the backend and, for about 40 minutes, up to 2,300 users who logged in to the online web viewing portal may have seen cameras from one of the 10 affected users who had also logged in during that time.
When we discovered the incident, we immediately took down view.wyze.com to investigate and resolve the issue. View.wyze.com was back online a few hours later.
We want to make it absolutely clear that it did not affect the Wyze app or the 10M+ users who only access Wyze products through the Wyze app. The web portal view.wyze.com is a separate viewing experience behind a paywall.
Here’s what we’re doing to rectify the situation and prevent it from happening again. So far we’ve:
- Conducted a detailed investigation. Due to the low amount of traffic to this site we were able to analyze page traffic in detail and know exactly 10 users were affected.
- Provided as much detail as we could reliably confirm as it was unfolding in real time, including on Reddit, Facebook, Wyze Forum, core communities, our website and answering questions from the press.
- Notified the 10 users that their accounts were affected.
- Further limited account permissions, updated company policies, updated training for Wyze employees, and implemented other technical fixes including additional admin alerts so that this doesn’t happen again.
- Hiring an external security firm to do further penetration testing of Wyze systems and processes.
Security is a core focus for us here at Wyze. We have built a dedicated security team and continually invest millions of dollars into security to keep our customers safe. We made a mistake here and will take all the appropriate steps to make sure it doesn’t happen again. We especially apologize to the 10 affected users and any users who signed into the web portal during this time.