Dear eufy Security users
During a software update performed on our server in the United States on May 17th at 4:50 AM EDT, a bug occurred affecting a limited number of users in the United States, Canada, Mexico, Cuba, New Zealand, Australia, and Argentina. Users in Europe and other regions remain unaffected. Our engineering team identified the issue at 5:30 AM EDT and immediately rolled back the server version and deployed an emergency update. The incident was fixed at 6:30 AM EDT. We have confirmed that a total of 712 users were affected in this case.
Although the issue has been resolved, we recommend users in the affected countries (US, Canada, Mexico, Argentina, New Zealand, Australia, and Cuba) to:
Please unplug and then reconnect the eufy security home base.
Log out of the eufy security app and log in again.
All of our user video data is stored locally on the users’ devices. As a service provider, eufy provides account management, device management, and remote P2P access for users through AWS servers. All stored data and account information is encrypted.
In order to avoid this happening in the future, we are taking the following steps:
We are upgrading our network architecture and strengthening our two-way authentication mechanism between the servers, devices, and the eufy Security app.
We are upgrading our servers to improve their processing capacity in order to eliminate potential risks.
We are also in the process of obtaining the TUV and BSI Privacy Information Management System (PIMS) certifications which will further improve our product security.
We understand that we need to build trust again with you, our customers. We are incredibly sorry and promise to take all the necessary measures to prevent this from ever happening again. Thank you for trusting us with your security and our team is available 24/7 at firstname.lastname@example.org and Mon-Fri 9AM-5PM (PT) through our online chat on eufylife.com.
A software bug? That’s the story youre sticking with?
Thousands, if not, millions of people could see other user’s camera feeds and youre saying it’s a software bug?
This was a MASSIVE breach in home security!
Heads up! Shit happens. Great to hear you solved it this fast! This sure should never ever happen - but it did and cant be turned back.
I am sure you will learn from this and do better in the future
It shows greatness to stand by your mistakes
Here are the steps to take if you want me to ever trust your products again:
- Implement actual end to end encryption. Server-side changes should never even be able to lead to this kind of problem.
- Make sure the app works even without internet access on LAN by adding local discovery of Homebase and cameras.
- HomeKit only mode for Indoor cams would be good too.
- Store event miniatures on the Homebase instead of your servers as they seem to be now.
That being said, kudos for reacting quickly to the problem
Did this affect accounts with MFA too?
They didn’t stand by anything.
They blame it on a bug.
They didn’t apologized or showed any concern about people’s privacy worries.
Far out, I was getting someone else’s camera feeds from inside their house - I could even control their cameras! I sent Eufy support the details.
This is just nuts, and I wonder how many other people this major breach has affected.
A bug is a bug. If it was a bug, it maybe wasn’t even their fault. I work as an IT administrator too - as I said - this never should happen, but it can. And if it happens, all that counts is, that you react as fast as possible - thats what they did.
What would you have of an excuse? It happend
Will there be a follow up appology to Eufy users or is that all we are getting?
This is a COMPLETE DISGRACE… Eufy “security” products are anything but… sheesh…
Huge Eufy privacy breach shows live and recorded cam feeds to strangers
Curt indeed, and a bit of emotion would have softened the blow a (tiny) bit. Know your audience I’d say. Keep that for the future. Free, no charge this time.
That said, other companies would have kept quiet…indefinitely, so thanks for not doing that!
I’m noticing a trend when it comes to Eufy and the multiple issues they have. DEFLECT, DEFLECT, NOT OUR FAULT, DEFLECT.
FYI - If you need to read an apology, they gave one on their statement to Engadget along with more details.
This is a wholly insufficient response to a major security breach. Thankfully I don’t have any cameras inside my house, as I would be livid if suddenly complete strangers could potentially see or screeshot/record things that they have no business looking at.
There needs to be a comprehensive response about how this happened and what will be done to prevent this ever happening again. Otherwise I will be packing up all of my cameras and returning them for a refund. As I am sure many other will too.
Why do I feel like anybody who complains here is going to have “issues” with their eufy account in the future
If Eufy had spent time designing their security and authentication processes correctly, a server side issue would not result in anyone seeing someone else’s accounts details, feeds, and events. It just shows that the people designing the system don’t know what they are doing. It wasn’t a bug, it was poor design.
It’s like the Sync “bug” that erases all your events when a button is held down on the field device. There again, a design choice that nobody thought through and they don’t seem to be able to fix. How many other “bugs” are waiting out there.
If they really care about their customers they would update their response here to reflect that humility they expressed to Engadget to their customers. Apologizing to the press means nothing if it’s not communicated directly to your customer. Let’s hope that when you know better, you do better because this may not be the last time they have to make an apology. Time will tell. To be continued…
@richardweijens volgens Engadget trof het geen Europese gebruikers - zie link boven - en we zijn gespaard gebleven.