In February 2024, approximately 13,000 Wyze security camera customers discovered a chilling reality: their home security devices had become windows into strangers’ homes. A faulty third-party caching library confused device ID and user ID mappings, accidentally connecting customers to video feeds and thumbnail images from homes they didn’t own. This breach represents one of the most intimate security failures in home camera history—customers expecting privacy got exposure instead, leading to a class action lawsuit against Wyze Labs over the company’s negligent handling of user data and inadequate security safeguards. The February 2024 incident isn’t Wyze’s first security failure.
In 2019-2020, a separate breach exposed personal information for 2.4 million customers, including usernames, emails, and credentials that allowed access to live feeds. Years before that, Wyze cameras contained hardware vulnerabilities that allowed remote control and SD card access. Together, these breaches paint a picture of a company with recurring security problems that put customers’ privacy at risk.
Table of Contents
- What Caused Wyze Cameras to Broadcast Feeds to Strangers?
- How Did This Security Failure Happen and Why Did It Go Undetected?
- Wyze’s Pattern of Security Breaches: The 2019-2020 Data Breach
- Hardware Vulnerabilities That Wyze Delayed Fixing for Years
- What Data Was Exposed in Each Breach and What Risks Do You Face?
- Which Wyze Camera Models Were Affected?
- What Rights Do You Have as a Class Action Member?
What Caused Wyze Cameras to Broadcast Feeds to Strangers?
The February 2024 breach stemmed from a software bug in a third-party caching client library that Wyze relied on. Instead of properly mapping each user’s account to their own cameras, the library confused device IDs with user IDs, creating crossed wires in the system. When customers logged in, they might see live feeds and thumbnail images from other people’s homes rather than their own. A customer in Texas could find themselves watching a family in California, with no explanation and no way to know how long their own cameras had been visible to strangers.
The breach was discovered during a February 16, 2024 outage and affected approximately 13,000 customer accounts. While 13,000 is a smaller number than Wyze’s previous 2019 breach (which impacted 2.4 million accounts), the nature of the exposure was particularly severe. Unlike a data breach where information is stolen silently, these customers could see evidence of the breach—they literally watched streams from homes they didn’t own. The exposure included both real-time video feeds and previously cached thumbnail images from other users’ systems.
How Did This Security Failure Happen and Why Did It Go Undetected?
A third-party software library that Wyze used for caching and data retrieval contained a critical bug in how it handled device and user identification. When users accessed their accounts, the library returned cached data meant for different users. This wasn’t a case of hackers breaching Wyze’s system from the outside—it was an internal architectural failure in code that Wyze had integrated into its infrastructure. The company relied on this library without adequate testing to verify that data from different accounts remained properly separated.
The breach highlights a common problem in software security: developers and companies sometimes trust third-party libraries too completely. Even when a library is from a reputable source, integrating it without thorough testing for account isolation and data separation can create vulnerabilities. In Wyze’s case, this trust was misplaced. However, if your cameras were not accessed during the brief window of the February 2024 outage, your historical video footage remained secure—the breach was confined to the cached thumbnail data and live feed data that people actively viewed during that period.
Wyze’s Pattern of Security Breaches: The 2019-2020 Data Breach
Two years before the 2024 incident, Wyze suffered a much larger breach that exposed data for 2.4 million customers. Beginning in 2019 and continuing for 23 days, an unsecured database containing customer usernames, email addresses, and health data was accessible to anyone on the internet. Even worse, the exposed data included authentication credentials that allowed attackers to access live camera feeds directly. Customers didn’t just have their personal information compromised—they had their home security systems compromised.
Matthew Schoolfield, a Texas resident, filed a class action lawsuit against Wyze Labs in 2020 (Case No. 2:2020cv00282 in the Western District of Washington). The complaint alleged negligence and violations of ftc regulations that require reasonable security standards for consumer data. Unlike the 2024 breach which was confined to cached data during an outage, the 2019-2020 breach represented a fundamental failure in how Wyze stored and protected its customer database. The company had exposed 2.4 million people’s names, emails, health information, and security credentials without any adequate encryption, access controls, or monitoring to detect unauthorized access.
Hardware Vulnerabilities That Wyze Delayed Fixing for Years
Beyond software breaches, Wyze camera hardware itself contained critical vulnerabilities that allowed attackers to hijack cameras and steal stored video. Security researchers at Bitdefender disclosed a vulnerability affecting Wyze Cam v1, v2, and v3 models in March 2019 that allowed remote attackers to take control of the cameras and access any video files stored on connected SD cards. Instead of quickly patching this known vulnerability, Wyze took approximately three years to fix it—an unacceptable delay that left millions of customers exposed to attackers who knew exactly how to compromise their devices.
This vulnerability was particularly dangerous because it didn’t require a user to click a malicious link or download something suspicious. An attacker could remotely exploit the hardware flaw to gain control. For three years, Wyze customers believed they were protecting their homes with security cameras while those cameras remained compromised and remotely controllable by attackers. Eventually, Wyze settled a class action lawsuit over its failure to disclose and promptly patch this vulnerability, but the settlement came only after years of customer exposure.
What Data Was Exposed in Each Breach and What Risks Do You Face?
Understanding what was exposed in each breach helps you assess your personal risk. In the 2024 incident, you were exposed if someone else viewed your live camera feed during the February 16 outage window—your stream wasn’t stolen, but it was visible. In the 2019-2020 breach, your email, username, health data, and potentially camera credentials were exposed for 23 days. In the hardware vulnerability, your cameras could have been remotely accessed and controlled by attackers without your knowledge.
One important limitation: if you don’t currently use the cameras or if you changed your password after the breaches, your ongoing risk is reduced for the credential-based risks. However, if the same password was used on other accounts, you remain at risk from credential stuffing attacks. If you have always kept your SD card slot empty or password-protected other accounts, you had some natural protection. But if any of your Wyze cameras remain on outdated firmware that still contains the hardware vulnerability, you remain at risk regardless of the breach itself.
Which Wyze Camera Models Were Affected?
The hardware vulnerability settlement specifically affected Wyze Cam v1, v2, and v3 models—the company’s most popular consumer security cameras. These were the models in circulation from 2019 through the time of the settlement, and they contained the remote access vulnerability that Bitdefender disclosed. The 2019-2020 data breach affected any Wyze customer with an account during that 23-day exposure window. The February 2024 incident affected 13,000 customers, with the company identifying which specific accounts experienced the data mix-up.
To determine if your camera was affected, check the model number on your device (printed on the bottom or back). If you own a Wyze Cam v1, v2, or v3, you should verify that your firmware is fully updated to the patched version. For the 2019-2020 breach, anyone with a Wyze account created before 2020 should monitor for credential-related activity. For the 2024 breach, if you received a notification from Wyze about the February outage affecting your account, you were among the 13,000 affected customers.
What Rights Do You Have as a Class Action Member?
Class action lawsuits against Wyze give affected customers several types of potential compensation. Some settlements have provided cash payments to class members—either a fixed amount per household or a pro-rata share of a settlement fund based on how many claims are filed. Others have offered free camera replacements, extended warranties, or free monitoring service credits. The exact compensation available depends on which specific lawsuit applies to your situation and whether you file a claim within the deadline specified in that settlement.
If you purchased or used Wyze cameras between 2019 and 2024, you may be eligible for compensation from multiple settlements covering different breaches. To participate, you typically need to file a claim with the settlement administrator, providing proof of purchase or account ownership. Settlement websites usually have claim deadlines—often 6-12 months after the settlement is approved—so it’s important to act promptly. Courts have emphasized that companies like Wyze must be held accountable for negligent security practices, and class members deserve compensation for the privacy violations and risk they’ve endured.
You Might Also Like
- Class Action Targets Spotify for Underpaying Independent Artists Under CRB Rate Agreements
- Class Action Targets Progressive for Using Predictive Modeling That Discriminated Against Minority Policyholders
- Class Action Targets PGA Tour for Excluding LIV Golf Players From Tour Events