A serious security flaw in Wyze’s popular home security cameras exposed the private video feeds and notifications from thousands of users’ homes, the company has confirmed.

The issue came to light last week when Wyze camera owners began reporting on forums and social media that they were suddenly seeing camera feeds and receiving motion alerts from strangers’ homes in their Wyze app. At first, many users assumed it was just a bizarre glitch. But Wyze co-founder David Crosby soon confirmed to The Verge that a major security lapse had indeed allowed some users to access others’ camera data.

“Some users were able to see thumbnails of cameras that were not their own in the Events tab,” Crosby acknowledged, referring to the section of the Wyze app that shows clips of motion events detected by users’ cameras. While full live streams were not exposed, thousands of users could view thumbnail previews and receive alerts from cameras they did not own, a shocking breach of privacy.

According to Crosby’s statements, the security failure occurred in the wake of a major outage caused by issues at Amazon Web Services, which Wyze relies on to manage user data in the cloud. As Wyze’s servers became overloaded trying to recover from the outage, some user data became “corrupted” in ways that allowed the unprecedented security leak.

Wyze has confirmed that about 13,000 users were able to see thumbnails from others’ cameras, while around 1,500 users actually tapped on those thumbnails to view larger previews or videos from the motion events. Just how much intimate, private footage of people’s homes may have been exposed remains unclear.

The company says the security failure was caused by a “mix-up of device ID and user ID mapping” that allowed cameras and user accounts to become crossed. A new third-party caching client library that struggled to handle the massive influx of users rebooting cameras and accessing the app after the outage is being blamed as the weak link.

Regardless of the cause, the fact that thousands of users could have potentially peered into strangers’ homes for days before Wyze closed the security hole raises grave concerns about the company’s handling of user data. This is not the first time Wyze’s lax security has come under fire, either.

Back in 2019, the cybersecurity firm Bitdefender claims it alerted Wyze to a major vulnerability that would allow hackers to access user data and control cameras remotely. Yet Wyze failed to inform customers or issue a fix until three years later, only acting once the flaw was about to become public knowledge.

Wyze’s response to this latest incident has been swifter, with notifications sent to affected users and passwords forcibly reset to revoke any lingering unauthorized access. But for many customers, the damage may already be done. The thought that days or weeks of private home activities may have been exposed through a failure by Wyze could deal a permanent blow to consumer trust.

This stark warning about the potential dangers of security cameras and the need for ironclad privacy protections will likely ripple across the entire home surveillance industry. As consumers increasingly install internet-connected cameras in intimate spaces, the onus falls heavily on manufacturers like Wyze to assure users that what happens in the home stays securely in the home. For thousands of newly vulnerable customers, that assurance has been broken – and earning back their confidence will be an uphill battle.