An apparent software glitch that exposed private information and video streams belonging to hundreds of Eufy security camera customers has been resolved, according to the company.
The security breach was first made public on Monday when affected customers began reporting an unusual phenomenon on Reddit: The Eufy app apparently granted them access to other users' account information, including both live and recorded video streams. Not only that, some users reported the app let them control other users' physical cameras with actions like pan and zoom.
Eufy said Wednesday that a total of 712 users' accounts were exposed to other Eufy app users before the problem could be addressed.
Calling the breach a "bug," Eufy spokesman Bryan Saxton said the problem started just before 2 a.m. PT (5 a.m. ET) Monday during a server upgrade. According to Saxton, Eufy's engineering team first became aware of the issue around 2:30 a.m. and had it fixed by 3:30 a.m. PT.
While the earliest reports came from Eufy customers in Australia and New Zealand, before long, US users were complaining of similar problems. Saxton confirmed that the issue was limited to the US, New Zealand, Australia, Cuba, Mexico, Brazil and Argentina and that it did not affect European users. He indicated the following devices also were not affected: Eufy baby monitors, smart locks, alarm systems and pet care products.
Cameras set up using Apple's HomeKit were also reportedly unaffected, according to anecdotal evidence from Eufy customers on Reddit and elsewhere.
A staff writer at 9to5Mac confirmed his Eufy account made it appear as though he was logged in as someone else, with access to the other person's user details, recordings and live feeds. The staffer reported that logging out then back in seemed to restore access to his own cameras.
While Eufy has confirmed that the problem has been resolved after rolling back its servers and deploying an emergency update, the company recommends that users in the affected countries take two precautionary steps: First, unplug and then reconnect the Eufy security home base from the power outlet. Second, log out of the Eufy mobile app and then log back in.
"We realize that as a security company we didn't do good enough," Saxton said. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again."
Some of those new protocols include:
- Upgrading Eufy's network architecture and strengthening its two-way authentication mechanism.
- Upgrading Eufy's servers to improve processing capacity.
- Obtaining specialized Privacy Information Management System, or PIMS, certifications.
According to Saxton, Eufy's customer service team has attempted to contact all affected customers, but users with further questions can email the Eufy support team at firstname.lastname@example.org.
Update, May 19: Adds more information from Eufy.