Updated Official Statement

Dear eufy Security users

During a software update performed on our server in the United States on May 17th at 4:50 AM EDT, a bug occurred affecting a limited number of users in the United States, Canada, Mexico, Cuba, New Zealand, Australia, and Argentina. Users in Europe and other regions remain unaffected. Our engineering team identified the issue at 5:30 AM EDT and immediately rolled back the server version and deployed an emergency update. The incident was fixed at 6:30 AM EDT. We have confirmed that a total of 712 users were affected in this case.

Although the issue has been resolved, we recommend users in the affected countries (US, Canada, Mexico, Argentina, New Zealand, Australia, and Cuba) to:

  1. Please unplug and then reconnect the eufy security home base.

  2. Log out of the eufy security app and log in again.

All of our user video data is stored locally on the usersā€™ devices. As a service provider, eufy provides account management, device management, and remote P2P access for users through AWS servers. All stored data and account information is encrypted.

In order to avoid this happening in the future, we are taking the following steps:

  1. We are upgrading our network architecture and strengthening our two-way authentication mechanism between the servers, devices, and the eufy Security app.

  2. We are upgrading our servers to improve their processing capacity in order to eliminate potential risks.

  3. We are also in the process of obtaining the TUV and BSI Privacy Information Management System (PIMS) certifications which will further improve our product security.

We understand that we need to build trust again with you, our customers. We are incredibly sorry and promise to take all the necessary measures to prevent this from ever happening again. Thank you for trusting us with your security and our team is available 24/7 at support@eufylife.com and Mon-Fri 9AM-5PM (PT) through our online chat on eufylife.com.

12 Likes

A software bug? Thatā€™s the story youre sticking with?

Thousands, if not, millions of people could see other userā€™s camera feeds and youre saying itā€™s a software bug?

This was a MASSIVE breach in home security!

22 Likes

Heads up! Shit happens. Great to hear you solved it this fast! This sure should never ever happen - but it did and cant be turned back.
I am sure you will learn from this and do better in the future :relaxed:

It shows greatness to stand by your mistakes

13 Likes

Here are the steps to take if you want me to ever trust your products again:

  • Implement actual end to end encryption. Server-side changes should never even be able to lead to this kind of problem.
  • Make sure the app works even without internet access on LAN by adding local discovery of Homebase and cameras.
  • HomeKit only mode for Indoor cams would be good too.
  • Store event miniatures on the Homebase instead of your servers as they seem to be now.

That being said, kudos for reacting quickly to the problem :+1:

38 Likes

Did this affect accounts with MFA too?

1 Like

They didnā€™t stand by anything.
They blame it on a bug.
They didnā€™t apologized or showed any concern about peopleā€™s privacy worries.

11 Likes

Far out, I was getting someone elseā€™s camera feeds from inside their house - I could even control their cameras! I sent Eufy support the details.
This is just nuts, and I wonder how many other people this major breach has affected.

6 Likes

A bug is a bug. If it was a bug, it maybe wasnā€™t even their fault. I work as an IT administrator too - as I said - this never should happen, but it can. And if it happens, all that counts is, that you react as fast as possible - thats what they did.
What would you have of an excuse? It happend

5 Likes

Will there be a follow up appology to Eufy users or is that all we are getting?

5 Likes

This is a COMPLETE DISGRACEā€¦ Eufy ā€œsecurityā€ products are anything butā€¦ sheeshā€¦
Huge Eufy privacy breach shows live and recorded cam feeds to strangers

5 Likes

Curt indeed, and a bit of emotion would have softened the blow a (tiny) bit. Know your audience Iā€™d say. Keep that for the future. Free, no charge this time.:wink:

That said, other companies would have kept quietā€¦indefinitely, so thanks for not doing that! :+1:t5:

2 Likes

Iā€™m noticing a trend when it comes to Eufy and the multiple issues they have. DEFLECT, DEFLECT, NOT OUR FAULT, DEFLECT.

2 Likes

FYI - If you need to read an apology, they gave one on their statement to Engadget along with more details.

1 Like

This is a wholly insufficient response to a major security breach. Thankfully I donā€™t have any cameras inside my house, as I would be livid if suddenly complete strangers could potentially see or screeshot/record things that they have no business looking at.

There needs to be a comprehensive response about how this happened and what will be done to prevent this ever happening again. Otherwise I will be packing up all of my cameras and returning them for a refund. As I am sure many other will too.

5 Likes

Why do I feel like anybody who complains here is going to have ā€œissuesā€ with their eufy account in the future :laughing:

3 Likes

If Eufy had spent time designing their security and authentication processes correctly, a server side issue would not result in anyone seeing someone elseā€™s accounts details, feeds, and events. It just shows that the people designing the system donā€™t know what they are doing. It wasnā€™t a bug, it was poor design.

Itā€™s like the Sync ā€œbugā€ that erases all your events when a button is held down on the field device. There again, a design choice that nobody thought through and they donā€™t seem to be able to fix. How many other ā€œbugsā€ are waiting out there.

6 Likes

For the dutch readers: https://www.rtlnieuws.nl/tech/artikel/5231552/eufy-cameras-beveiligingscameras-slimme-videodeurbellen-privacy-lek

If they really care about their customers they would update their response here to reflect that humility they expressed to Engadget to their customers. Apologizing to the press means nothing if itā€™s not communicated directly to your customer. Letā€™s hope that when you know better, you do better because this may not be the last time they have to make an apology. Time will tell. To be continuedā€¦

3 Likes

@richardweijens volgens Engadget trof het geen Europese gebruikers - zie link boven - en we zijn gespaard gebleven. :pray:t5: