A home security company left 2.4 million customers' data on the open internet for 22 days. No password. No encryption. Just an Elasticsearch database sitting on the public internet with your email, your home WiFi name, your camera IDs, and your Alexa tokens. Twelve Security researchers found it in December 2019. Wyze knew. They waited two weeks to tell you. Their explanation: an employee copied the production database to a test server and "accidentally" removed the security. Your home security camera company couldn't secure its own database. The data that was supposed to keep your home safe was visible to anyone with a web browser for three weeks.
critical
Wyze promises your camera feed is "not shared with any Wyze employees or third parties." In September 2023, 13,000 Wyze users opened their app and saw inside strangers' homes. Living rooms. Bedrooms. Nurseries. Wyze's first response: only 14 people were affected. The real number: 13,000. Off by a factor of nearly 1,000. This was the SECOND TIME it happened -- the same kind of breach occurred in September 2022. Wyze didn't fix it after the first time. Co-founder David Crosby blamed AWS. The company that promises your private video feed is never shared accidentally showed your bedroom to 13,000 strangers. Twice. In consecutive years.
critical
In March 2019, Bitdefender told Wyze that the Cam v1 had critical security flaws: anyone could remotely access the camera feed and SD card without authentication. The vulnerability couldn't be fixed. Wyze kept selling the camera. For THREE YEARS. New customers bought a "security camera" that any hacker could access remotely. Wyze said nothing. In January 2022, Wyze finally disclosed the vulnerability -- and said the v1 was end-of-life, no patch coming. Three years of selling a product they knew was broken. Millions of v1 cameras are still in homes right now, pointed at living rooms and bedrooms, permanently hackable. Wyze knew since 2019. They kept taking people's money.
Wyze says they never sell your data, but in the same document admits that what they do with your data might legally count as selling it under California law. They share your activity data with advertising companies to show you targeted ads — which is exactly what most people would consider "selling" their information.
critical
Wyze uses your home security camera footage to train their AI systems. They bury this in the fine print while their marketing emphasizes security and privacy. Meanwhile, security flaws left your camera footage accessible to hackers for almost three years before being fixed.
critical
Security researchers found hackers could take over Wyze cameras and watch your recordings in 2019. Wyze ignored them for almost two years, then took another year to fix it. The oldest model was never fixed at all. During those three years, Wyze kept selling cameras that had known security holes.
Wyze knew that hackers could access your camera feed without a password for almost three years and did not fix it or tell customers. They continued selling cameras as "secure" while anyone with basic hacking skills could watch your home.
critical
In February 2024, a Wyze system error let about 13,000 strangers see inside other people's homes through their Wyze cameras. Some people could watch live video of other families' private spaces. Major review outlets stopped recommending Wyze cameras.
critical
Wyze tells Google Play Store users that the app does not share their data with third parties. But Wyze's own privacy policy says the opposite — they sell your personal information to advertisers. This is a direct, provable lie on the app store page.
Wyze says they protect your data. They left a database with 2.4 million people's info on the open internet for three weeks. Emails, camera names, Wi-Fi networks, body measurements. They didn't even notice — a security firm found it first.
critical
Wyze says nobody can see your camera feed. Then 13,000 people saw other people's feeds. Inside their homes. Wyze first said 14 people, then quietly updated to 13,000. This happened TWICE in six months. Now imagine this company controlling who can open your front door.
critical
Wyze says they fix security bugs in 3-4 weeks. It took THREE YEARS to fix one that let hackers access your camera's SD card. They ignored the researchers. Another researcher was so frustrated he released a full hack tool on GitHub. These are the people guarding your front door.
Wyze knew hackers could access their camera feeds for three years and said nothing. Bitdefender told them in 2019. They didn't fully fix it until 2022. They never told customers. If they hid a camera vulnerability for three years, what are they hiding about the thermostat that knows when you're home, when you sleep, and when you're away?
high
Your Wyze thermostat knows your schedule. The camera knows your face. The door sensor knows when you leave. The motion sensor knows which rooms you use. Together, Wyze has a complete map of your life inside your house — stored on the same cloud that hid a camera vulnerability for three years.