During a software update performed on our server in the United States on May 17th at 4:50 AM EDT, a bug occurred affecting a limited number of users in the United States, Canada, Mexico, Cuba, New Zealand, Australia, and Argentina. Users in Europe and other regions remain unaffected. Our engineering team identified the issue at 5:30 AM EDT and immediately rolled back the server version and deployed an emergency update. The incident was fixed at 6:30 AM EDT. We have confirmed that a total of 712 users were affected in this case.
Although the issue has been resolved, we recommend users in the affected countries (US, Canada, Mexico, Argentina, New Zealand, Australia, and Cuba) to:
Please unplug and then reconnect the eufy security home base.
Log out of the eufy security app and log in again.
All of our user video data is stored locally on the users’ devices. As a service provider, eufy provides account management, device management, and remote P2P access for users through AWS servers. All stored data and account information is encrypted.
In order to avoid this happening in the future, we are taking the following steps:
We are upgrading our network architecture and strengthening our two-way authentication mechanism between the servers, devices, and the eufy Security app.
We are upgrading our servers to improve their processing capacity in order to eliminate potential risks.
We are also in the process of obtaining the TUV and BSI Privacy Information Management System (PIMS) certifications which will further improve our product security.
We understand that we need to build trust again with you, our customers. We are incredibly sorry and promise to take all the necessary measures to prevent this from ever happening again. Thank you for trusting us with your security and our team is available 24/7 at email@example.com and Mon-Fri 9AM-5PM (PT) through our online chat on eufylife.com.
Far out, I was getting someone else’s camera feeds from inside their house - I could even control their cameras! I sent Eufy support the details.
This is just nuts, and I wonder how many other people this major breach has affected.
A bug is a bug. If it was a bug, it maybe wasn’t even their fault. I work as an IT administrator too - as I said - this never should happen, but it can. And if it happens, all that counts is, that you react as fast as possible - thats what they did.
What would you have of an excuse? It happend
This is a wholly insufficient response to a major security breach. Thankfully I don’t have any cameras inside my house, as I would be livid if suddenly complete strangers could potentially see or screeshot/record things that they have no business looking at.
There needs to be a comprehensive response about how this happened and what will be done to prevent this ever happening again. Otherwise I will be packing up all of my cameras and returning them for a refund. As I am sure many other will too.
If Eufy had spent time designing their security and authentication processes correctly, a server side issue would not result in anyone seeing someone else’s accounts details, feeds, and events. It just shows that the people designing the system don’t know what they are doing. It wasn’t a bug, it was poor design.
It’s like the Sync “bug” that erases all your events when a button is held down on the field device. There again, a design choice that nobody thought through and they don’t seem to be able to fix. How many other “bugs” are waiting out there.
If they really care about their customers they would update their response here to reflect that humility they expressed to Engadget to their customers. Apologizing to the press means nothing if it’s not communicated directly to your customer. Let’s hope that when you know better, you do better because this may not be the last time they have to make an apology. Time will tell. To be continued…