What eufy is casually calling a “software bug” but is, in fact, a massive security breach has occurred in the last 24 hours. For all owners, the time to act is now: If you haven’t done so already, unplug all your eufy security cameras (eufyCam, Video Doorbell, Floodlight Camera, and Indoor Cam) immediately, delete your recordings, change your passwords, and log out of your accounts.
The gravity of this security breach cannot be underestimated. Other users might have access to all of your recordings, contact details, camera names.
The saddest part of the current situation is that eufy is doing the very least they can to inform their users. I own an eufy Indoor Cam (which won’t be used any more) and haven’t yet received any direct communication, even though they have my email address and will gladly send me ads for new products. You should be expecting that eufy log out every user and force a password change of all accounts. The last day has shown that eufy is not a company to be trusted, and their products should be avoided.
What happened during the eufy security breach?
On Monday, May 17 at 10:51 AM (GMT +0200), Reddit user /u/MeChum87 from New Zealand reported that instead of their recordings, they were seeing videos from what appeared to be another user most likely located in Australia. They also had full access to their contact information and could see the cameras name, which was creatively named “Kangaroo Cam”. Luckily though, /u/MeChum87 is a person of honour and hasn’t shared any videos or images, but other victims might not be as lucky.
The first acknowledgement from eufy came in exactly seven hours later at 5:51 PM through the medium of Twitter. According to their tweet, a “bug” was discovered at 10:50 AM (curiously exactly a minute before the aforementioned Reddit user created their post) and was fixed two hours later. The tweet contained no information on what caused the “bug” and how many accounts were compromised.
What could happen to eufy now?
If eufy were to remain silent, I would hope a hefty fine would land on their doorstep. As a European, I am only familiar with the GDPR, and it states the following:
1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.Art. 33 GDPR
I would hope that a simple tweet does not suffice. After all, you can’t expect all of eufy’s customers to also be Twitter users and eufy does have access to every user’s email address. There are still two days left for eufy to respond in a more official manner and I would hope they do. The consequence of not adhering to the GDPR could lead to a fine of EUR 20 million or up to 4% of their total global turnover, depending on which is higher. In my opinion, eufy deserves nothing less for how they have responded thus far.
It’s too late to say “offline only”
Whenever such a breach occurs, you will read advice from other users telling you to never let your security cameras access the internet, especially if they are indoors. It is a sentiment that I definitely agree with, but you do have to keep in mind that not every user will be as technology skilled as those using Home Assistant. After all, Home Assistant is still largely a tinkerers tool and its users will have a better than average understanding of technology.
Setting up cameras such as those from the breached eufy and paying for a subscription to store recordings in the cloud is way easier than setting up a local-only alternative. Additionally, because manufacturers such as eufy don’t provide a full and open API, there is often no way to fully control their cameras without using their services.
Of course there are lessons to be learnt for the future, but for those caught up in eufy’s breach, this advice comes too late. That is why I will repeat my advice for immediate action one more time: Other eufy users might have access to all of your recordings, contact details, and camera names. Unplug all your eufy security cameras right now, delete your recordings, change your passwords, and log out of your accounts. And whatever you do, don’t give eufy another single cent of your hard-earned money.