eufy's casual reference to a “software bug” belies the gravity of a recent security breach that has left users' personal information and camera recordings exposed. For those who own eufy security cameras, such as eufyCam, Video Doorbell, Floodlight Camera, and Indoor Cam, it's crucial to act immediately: unplug your devices, delete your recordings, change your passwords, and log out of your accounts.

The magnitude of the breach

This is no ordinary security breach – other users may have access to your recordings, contact details, and camera names. Disappointingly, eufy has done little to inform its users, despite having their email addresses and regularly sending promotional material. One might expect eufy to log out all users and enforce password changes, but their response so far has been lacklustre, casting doubt on the trustworthiness of the company and its products.

Unravelling the eufy security breach

The breach first came to light on Monday, May 17, 2021, when a Reddit user from New Zealand reported seeing videos from another user's camera, likely located in Australia. The user also had full access to the Australian user's contact information and camera name. Fortunately, the Reddit user chose not to share any videos or images, but others affected by the breach may not be so honourable.

eufy's response was slow, taking seven hours to acknowledge the issue via Twitter. Their tweet mentioned a “bug” discovered at 10:50 AM, which was fixed two hours later, but provided no further details about the cause or the number of compromised accounts. The timing of their tweet also curiously coincides with the Reddit user's post, raising questions about the transparency and accuracy of eufy's response.

Eufy's potential consequences

Should eufy choose to maintain their silence, one might envision a rather substantial fine arriving at their headquarters. As a European, my familiarity lies with the GDPR, which stipulates the following:

¹In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

²Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Art. 33 GDPR

One can't help but wonder if a mere tweet would suffice as a proper notification. After all, it's rather presumptuous to assume that all eufy customers are also Twitter users, especially when eufy has access to their email addresses. The company still has two days to issue a more formal response, and it would be prudent for them to do so. Failing to comply with GDPR regulations could result in a fine of up to €20 million or 4% of their total global turnover, depending on which amount is greater. In light of their current response, or lack thereof, it's difficult not to feel that eufy deserves such a penalty.

A belated call for offline security

In the wake of a security breach, it's common to hear advice from fellow users urging the disconnection of security cameras from the internet, particularly those located indoors. While this sentiment is undoubtedly wise, we must remember that not everyone possesses the technological prowess of Home Assistant users. Home Assistant, after all, remains a haven for tinkerers with a superior-than-average grasp of technology.

For many, the convenience of setting up cameras like those from the compromised eufy and opting for a cloud-based subscription to store recordings far outweighs the effort required to establish a local-only alternative. Furthermore, manufacturers such as eufy often fail to provide a comprehensive and open API, leaving users with little choice but to rely on their services for full control of their cameras.

While there are certainly lessons to be learned for the future, for those affected by eufy's breach, such counsel arrives too late. Thus, I reiterate my immediate course of action: Other eufy users may have access to all your recordings, contact information, and camera names. Unplug all your eufy security cameras at once, delete your recordings, change your passwords, and log out of your accounts. And above all, refrain from investing any more of your hard-earned money in eufy.