Update, 5/19/21 11:36 am: Eufy responded to us with a statement, which is available below. We are communicating with the company for more info.
An Eufy security bug gave users complete access to strangers’ accounts, including live video feeds, recordings, camera pan and zoom controls, and private account info. While Eufy claims to have fixed the problem, it suggests that all users unplug and reconnect their camera hardware and log out and back into the Eufy Security app. That’s a bad sign, folks!
The bug was reported by several Eufy users on Reddit, who found that they were logged into random Eufy Security accounts. According to Eufy, the bug occurred during a server upgrade at 4:50 AM EST, which explains why very few people in the U.S. encountered it. Still, many of the Australians who reported this bug on Reddit had access to Eufy Security accounts in the U.S. and other parts of the globe.
We reached out to Eufy for a statement, which you can read here. We will continue updating this article if the company provides more info:
We have been working closely with the eufy team to find out what happened and what the company will do next, and below is the update:
During a software update performed on our server in the United States on May 17th at 4:50 AM EDT, a bug occurred affecting a limited number of users in the United States, Canada, Mexico, Cuba, New Zealand, Australia, and Argentina. Users in Europe and other regions remain unaffected. Our engineering team identified the issue at 5:30 AM EDT and immediately rolled back the server version and deployed an emergency update. The incident was fixed at 6:30 AM EDT. We have confirmed that a total of 712 users were affected in this case.
Although the issue has been resolved, we recommend users in the affected countries (US, Canada, Mexico, Argentina, New Zealand, Australia, and Cuba) to:
- Please unplug and then reconnect the eufy security home base.
- Log out of the eufy security app and log in again.
All of our user video data is stored locally on the users’ devices. As a service provider, eufy provides account management, device management, and remote P2P access for users through AWS servers. All stored data and account information is encrypted.
In order to avoid this happening in the future, we are taking the following steps:
- We are upgrading our network architecture and strengthening our two-way authentication mechanism between the servers, devices, and the eufy Security app.
- We are upgrading our servers to improve their processing capacity in order to eliminate potential risks.
- We are also in the process of obtaining the TUV and BSI Privacy Information Management System (PIMS) certifications which will further improve our product security.
We understand that we need to build trust again with you, our customers. We are incredibly sorry and promise to take all the necessary measures to prevent this from ever happening again. Thank you for trusting us with your security and our team is available 24/7 at firstname.lastname@example.org and Mon-Fri 9AM-5PM (PT) through our online chat on eufylife.com.
Some users on the r/EufyCam subreddit report that they heard strange noises from their camera around the time that the bug was first reported, a sign that they were being watch by someone who enabled the camera’s speakerphone functionality. Unsurprisingly, these users say that they don’t want to keep their Eufy cameras anymore.
Aside from its quick tweet, Eufy hasn’t commented on the bug. We don’t know why users suddenly stumbled into each others’ accounts or why it took Eufy nearly 2 hours to resolve the issue—and we don’t really know that it’s fixed. The company’s suggestion that users log out and back into their accounts implies that some people may still have access to strangers’ accounts. It’s also unclear whether this problem impacted HomeKit Secure Video users, who should be protected from security bugs like this.
If you own Eufy security cameras, you should log out and back into your account and temporarily unplug your camera hardware for a quick reset. Or, you know, turn off your cameras until Eufy offers some real information on how this security breach occurred. You could also ask to return your cameras and switch to another brand.