A home security company left 2.4 million customers' data on the open internet for 22 days. No password. No encryption. Just an Elasticsearch database sitting on the public internet with your email, your home WiFi name, your camera IDs, and your Alexa tokens. Twelve Security researchers found it in December 2019. Wyze knew. They waited two weeks to tell you. Their explanation: an employee copied the production database to a test server and "accidentally" removed the security. Your home security camera company couldn't secure its own database. The data that was supposed to keep your home safe was visible to anyone with a web browser for three weeks. Wyze promises your camera feed is "not shared with any Wyze employees or third parties." In September 2023, 13,000 Wyze users opened their app and saw inside strangers' homes. Living rooms. Bedrooms. Nurseries. Wyze's first response: only 14 people were affected. The real number: 13,000. Off by a factor of nearly 1,000. This was the SECOND TIME it happened -- the same kind of breach occurred in September 2022. Wyze didn't fix it after the first time. Co-founder David Crosby blamed AWS. The company that promises your private video feed is never shared accidentally showed your bedroom to 13,000 strangers. Twice. In consecutive years.
What they claim: Wyze markets itself as a US-based company from Kirkland, Washington, founded by former Amazon employees, emphasizing its American identity and trustworthiness.
What we found: Wyze cameras are manufactured in China by Tianjin Hualai Technology -- reflected in the app's package name: com.hualai. Firmware development and updates involve engineers based in Shenzhen, China. Firmware updates are pushed to cameras automatically, meaning Chinese-developed code runs on cameras pointed inside American homes with no user review or approval of changes. The US government sanctioned Chinese camera manufacturers Hikvision and Dahua over national security concerns in 2019. While Wyze has not been sanctioned, its cameras share the same Chinese manufacturing ecosystem, supply chain, and firmware development practices. China's 2017 National Intelligence Law requires Chinese companies and citizens to "support, assist, and cooperate with national intelligence work" -- a law that applies to Wyze's manufacturing and firmware partners.
What they claim: Wyze's security trust page states: "Your data is never sold. We do not sell your personal information in the conventional sense (i.e., for money)." Wyze markets its $20 cameras as "democratizing" home security.
What we found: Wyze's own CCPA disclosure contradicts its "never sold" claim in the same document: "we may disclose certain data points about you such as your activities on our website or app to services that allow us to show you interest-based advertisements, or to our business partners. Making this information available to these companies may be considered a sale under the California Consumer Privacy Act." The $20 camera price is dramatically below competitors -- Nest Cam costs $130, Ring costs $60. Hardware at this price point operates at a loss or near-zero margin. The business model requires revenue beyond hardware: Cam Plus subscriptions ($1.99/month), Cam Unlimited ($9.99/month), and data monetization through advertising partnerships. The phrase "in the conventional sense (i.e., for money)" is a remarkable qualifier -- acknowledging that what they do might be selling, just not in the way you'd expect.
What they claim: Wyze's camera supplemental terms state: "videos and/or the live streams from your Security Cameras are not shared with any Wyze employees or third parties."
What we found: The same Wyze supplemental terms state: "Wyze may analyze, process, and use your User Recordings using automated technologies and machine learning to build and improve its products and services." These two statements exist in the same legal document. Videos are "not shared" but are "analyzed, processed, and used" with machine learning. The AI training clause is buried in supplemental terms, not the main privacy policy that users are more likely to read. The iRobot/Scale AI scandal demonstrated what happens when "AI training" involves human annotation of intimate home footage -- gig workers viewing and sharing images of people in private moments. Wyze claims the right to use machine learning on footage from cameras pointed inside your home while simultaneously claiming that footage is never shared.
What they claim: Wyze positions itself as an independent American startup focused on affordable smart home products for US consumers, with data stored domestically.
What we found: Wyze was co-founded by former Amazon employees but manufactures all hardware through Chinese partner companies. Their original camera was a rebadged Xiaomi product (the Xiaomi Xiaofang 1S). In January 2020, a Wyze camera integration with Google Nest Hub showed feeds from other users' cameras — Google temporarily banned Wyze from the Nest Hub platform until the issue was fixed.
What they claim: Wyze's security trust page states: "Since the founding of Wyze, we have existed for our users" and emphasizes its commitment to security and responsible data handling.
What we found: In December 2019, Wyze exposed an Elasticsearch database containing 2.4 million users' personal information for 22 days with no password protection. The database was open on the public internet for anyone to find and access. Exposed data included: email addresses, WiFi SSIDs (home network names), camera device IDs, Alexa integration tokens, and body metrics from Wyze Scale users. Security researchers at Twelve Security discovered the breach and published their findings. Wyze waited approximately two weeks after learning of the breach before notifying affected users. Wyze's explanation: an employee copied production data to a test server and "accidentally" removed security protections. A home security camera company left 2.4 million customers' data -- including home network names and camera IDs -- on the open internet for three weeks.
What they claim: Wyze's camera supplemental terms state: "videos and/or the live streams from your Security Cameras are not shared with any Wyze employees or third parties." Wyze markets encrypted video feeds and secure data handling.
What we found: In September 2023, a server-side caching issue allowed approximately 13,000 Wyze users to see thumbnails and video clips from OTHER users' cameras. Users reported seeing inside strangers' living rooms, bedrooms, and nurseries. Wyze initially claimed only 14 users were affected, then revised the number to 13,000 -- a nearly 1,000x undercount. This was the SECOND incident of the exact same type: a smaller event occurred in September 2022 where users reported seeing other people's camera feeds. The 2022 incident clearly didn't result in fixes adequate to prevent the 2023 recurrence. Co-founder David Crosby acknowledged the September 2023 breach but blamed a third-party caching library (AWS). The company that promises your video is never shared with third parties accidentally shared it with 13,000 strangers.
What they claim: Wyze marketed the Cam v1 as affordable, reliable home security and continued selling it through its website and retail partners.
What we found: Bitdefender discovered critical vulnerabilities in the Wyze Cam v1 in March 2019: CVE-2019-9564 (authentication bypass) and CVE-2019-12266 (remote code execution via stack buffer overflow). These vulnerabilities allowed unauthenticated remote access to the camera's SD card contents and full remote control of the device. Bitdefender contacted Wyze through responsible disclosure. Wyze took nearly THREE YEARS to publicly disclose the issue -- finally acknowledging it in January 2022. During those three years, Wyze continued selling the Cam v1 to new customers who had no way of knowing they were buying a security camera with unfixable security vulnerabilities. When Wyze finally disclosed, they declared the v1 end-of-life and said it couldn't be patched. Millions of v1 cameras remain in homes today, permanently vulnerable to remote access.
What they claim: Wyze's privacy policy promises transparent communication about security incidents and claims to protect user data with "industry-standard security measures."
What we found: Bitdefender discovered a critical vulnerability in Wyze Cam v1 in March 2019 that allowed remote access to the camera's SD card contents (including saved video). Bitdefender reported it to Wyze in 2019, but Wyze did not patch it or disclose it to users for nearly three years, until Bitdefender went public in March 2022. The Wyze Cam v1 was never patched — Wyze simply discontinued it.
What they claim: Wyze states it implements "appropriate security measures" to protect personal information and limits data access to authorized personnel only.
What we found: In December 2019, an unsecured Elasticsearch database exposed personal data of 2.4 million Wyze users for 22 days. The leak included email addresses, WiFi SSIDs, Alexa tokens, camera names (often identifying locations like "bedroom" or "baby room"), and health data from Wyze Scale beta users including body measurements.
What they claim: Wyze's security architecture claims end-to-end encryption of video streams, with camera feeds accessible "only to the account owner."
What we found: In September 2023, approximately 13,000 Wyze users received thumbnail images from other people's cameras in their Events tab. Users reported seeing the insides of strangers' homes, including images of sleeping people and children. Wyze initially blamed an AWS outage but later admitted it was a caching error in their system. In March 2024, the exact same bug happened again to another set of users.
What they claim: Wyze claims cameras use encrypted connections and that remote access requires authentication through Wyze's secure cloud infrastructure.
What we found: The Bitdefender vulnerability report (CVE-2019-9564, CVE-2019-12266) revealed that Wyze Cam v1-v3 had an authentication bypass allowing anyone to remotely connect to the camera without credentials. Combined with a stack buffer overflow, an attacker could achieve full remote code execution. The authentication bypass allowed access to the camera's entire filesystem including stored video.
What they claim: Wyze's security trust page states: "Since the founding of Wyze, we have existed for our users" and presents a comprehensive security commitment including encryption, secure development practices, and responsible data handling.
What we found: Wyze has experienced a documented pattern of security failures: December 2019 -- 2.4 million user database exposed on public internet for 22 days with no password, two-week delayed notification. March 2019 -- Bitdefender reports unfixable critical vulnerabilities in Cam v1, Wyze hides it for three years while continuing to sell the product. September 2022 -- Users report seeing strangers' camera feeds due to server-side error. September 2023 -- 13,000 users can see strangers' camera feeds, same incident type as 2022, Wyze initially claims only 14 affected. Each incident reveals the same pattern: inadequate security infrastructure, minimized initial disclosure, and failure to implement fixes that prevent recurrence. Four major security incidents in four years from a home security company. The 2022 camera feed breach didn't prevent the 2023 camera feed breach. The pattern is the finding.
What they claim: Wyze originally marketed cameras with "free cloud storage" for 14-day event clips as a core value proposition, attracting millions of budget-conscious users who chose Wyze specifically for the no-subscription model.
What we found: In 2023, Wyze eliminated free person detection and moved nearly all useful features behind Cam Plus ($1.99-3.99/month per camera). Event recording went from 12-second clips to 5-second clips for free users. Users who bought cameras specifically for the free cloud feature found their devices significantly degraded without a subscription, turning $30 cameras into recurring monthly expenses.