As reported yesterday Eufy experienced a breach of security in which users had reported being able to see strangers live steams, recordings and even control the pan and tilt. The company has now issued a statement explaining the situation, and it appears to be a bug rather than a third party breach that caused the issue.
First reported on the Eufy SubReddit by user MeChum87 that upon logging into their Eufy security app account, the user could see live streams, recorded clips, account details, and even control the movement of Eufy Pan & Tilt cameras of strangers.
This report was backed up by by several other users from the United States, New Zealand and Australia. Although Eufy did not respond directly on the Reddit threads, the company have now released a statement via its Twitter account.
A software bug occurred during our latest server upgrade at 4:50 AM EST today. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST.
We recommend that all users:
— Eufy (@EufyOfficial) May 17, 2021
“Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001%) of our users were able to access video feeds from other users’ cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST.
The issue affected users at a small rate in the United States, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina. Users in Europe remain unaffected.
Our customer service team will continue contacting those who were affected. Eufy Baby Monitors, eufy Smart Locks, eufy Alarm System devices and eufy PetCare products remain unaffected.
We realize that as a security company we didn’t do good enough. We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again. For any questions, users can contact our support team at email@example.com.”
So based on the statement it looked like a software bug caused the issue rather than a security breach. It also looks like that European users were unaffected and this is probably down this set of users are connected to a different server. Which if EU users had been affected, then GDPR would have been a major issue and Eufy would have had to a lot more forward with what data had been exposed.
Although this statement from Eufy explains the situation and provides some comfort that it was not a third part that had hacked its service. It is probably to early to ascertain if this response restores faith in the company and its products. Although judging by the comments on its Twitter feed and continued discussion on Reddit, users are still wanting to know what data was exposed.
While the internet of things will never be safe from data and security breaches and I have Eufy cameras around my home. These are all connected via HomeKit Secure Video and with restricted access to the internet. If you want to know about HomeKit Secure Video and HomeKit Secure Routers, then hit the links to find out more.