Eufy blames software ‘bug’ for breach that exposed users’ video footage to strangers

eufy-video-monitor

Some Eufy security camera users reported they were able to access strangers’ Eufy accounts, including live and recorded video feeds — though Eufy baby monitors were unaffected, according to the company.


Eufy

An apparent software glitch was responsible for exposing some Eufy security camera customers’ private information and video streams to other users early Monday.

The security breach was first made public when customers began reporting the unusual phenomenon on Reddit. There, customers posted that the Eufy app was granting them access to other users’ account information, including both live and recorded video streams as well as letting them control other users’ physical cameras with actions like pan and zoom.

Calling the breach a “bug,” Eufy spokesman Bryan Saxton said the problem started just before 2 a.m. PT (5 a.m. ET) during a server upgrade and allowed a “limited number” of users to access video feeds from cameras belonging to strangers.

According to Saxton, Eufy’s engineering team became aware of the issue around 2:30 a.m. and had it fixed by 3:30 a.m. PT.

While the earliest reports came from Eufy customers in Australia and New Zealand, before long, US users were complaining of similar problems. Saxton confirmed that the issue was limited to the US, New Zealand, Australia, Cuba, Mexico, Brazil and Argentina and that it did not affect European users. He indicated the following devices also were not affected: Eufy baby monitors, smart locks, alarm systems and pet care products. 

Cameras set up using Apple’s HomeKit were also reportedly unaffected, according to anecdotal evidence from Eufy customers on Reddit and elsewhere.

A staff writer at 9to5Mac confirmed his Eufy account made it appear as though he was logged in as someone else, with access to the other person’s user details, recordings and live feeds. The staffer reported that logging out then back in seemed to restore access to his own cameras.

“We realize that as a security company we didn’t do good enough,” Paxton said. “We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again.” He also promised to share more information on those protocols as it becomes available. 

According to Saxton, Eufy’s customer service team will contact affected customers, but users with further questions can contact the Eufy support team at support@eufylife.com. 

Update, 12:08 p.m. PT: Adds statement and information from Eufy.

Related Posts