If you invest in an internet-connected security camera system, one might expect that the makers would take security extremely seriously. After all, what consumer would invest in such a system if they were worried about hackers spying on them in their home?
This article first appeared in Salon.
Shockingly, executives at Wyze Labs, makers of a line of popular affordable security cameras, just announced that personal information from 2.4 million customers had been exposed to the public. The breach included information like WiFi network details and customer email addresses. It is possible that an unknown third party already has these customer email addresses, making them vulnerable to spam or phishing attempts. While the company’s cameras themselves seem not to have been hacked or breached directly, having the email address for a customer is often enough to be able to hack into someone’s assorted internet accounts.
As security breaches accumulate, consumers are particularly at risk if they use the same passwords and login names on different sites, as many databases of breached usernames and passwords are already public. The blog Twelve Security made the breach public the day after Christmas. Wyze executives were only made aware of it after a customer posted the blog post on a Wyze online forum. Once executives audited the breach, they discovered a second one occurred on Dec. 27.
Wyze Labs is known for their budget-friendly indoor WiFi-connected cameras, some of which cost just $20. Other cameras on the market, like the Nest or Ring, range from $60 to $200.
Details as to how the breach occurred remain unclear. The investigation into both breaches is ongoing. As the New York Times reports, “the first Wyze breach occurred after an employee created a flexible database to quickly pull user analytics.”
That employee removed the security protocols on the new database, exposing customers’ personal information. Customers’ passwords were not saved on the breached database, so hackers could not access live camera feeds, said Dongsheng Song, a co-founder at Wyze.
“We didn’t properly communicate and enforce our security protocols to new employees,” Mr. Song said. “We should have built controls, or a more robust tool and process to make sure security protocols are followed,” he added.
Dave Crosby is a co-founder of Wyze, and told the Times that the employee who made the mistake is still employed at Wyze.
“It was an accident,” Crosby was quoted as saying in the New York Times. “We are very, very sorry and taking it very seriously.”
Data security expert Jennifer King, the director of consumer privacy at the Center for Internet and Society at Stanford Law School, told the New York Times this is a reminder that “consumers have zero control.”
“We are definitely at the point where if we want to change anything, we need regulation,” King said.
King added that consumers are more vulnerable when data is on the cloud.
“If the company isn’t necessarily practicing the best security practices you can do all you can and you’re still going to be exposed,” King said.
Another expert said the company should expect consumers to bring class-action lawsuits in the near future.
According to a Wyze Labs company blog post, all users who created an account prior to December 26th, 2019 have been affected. The company started to send emails to customers on Monday.