What has happened?
We continuously monitor the health and activity of our Arlo ecosystem and on Friday, May 25, 2018 we began observing suspicious activity potentially impacting Arlo accounts. From our investigation, it appears that that an unknown entity or entities initiated a bruteforce attack on Arlo’s system in an attempt, in mass, to log into hundreds of thousands of Arlo accounts at the same time by reusing user credentials we believe were illicitly taken from an unknown third party unrelated to Arlo. Attacks like these are sometimes referred to as "credential stuffing".
Can you explain credential stuffing a bit more?
Credential stuffing commonly refers to a process whereby hackers illicitly acquire a database of usernames and passwords and attempt to use those previously stolen credentials to access other sites or accounts. In this instance, the usernames and passwords used by the attackers during their bruteforce attack were not gained from Arlo. From our investigation, we believe these credentials were illicitly obtained from an unknown third-party unrelated to Arlo. To mitigate or avoid the impact of these types of bruteforce attacks, we recommend that users avoid reusing or recycling passwords across different sites or accounts, especially for sites or accounts containing sensitive personal data, like social security numbers.
Has my Arlo account been impacted?
To the extent we believe an Arlo account may have been accessed without authorization, we have contacted the Arlo customer registered to the potentially impacted Arlo account. We contacted potentially impacted Arlo customers via the email associated with their Arlo account. If you did not receive an email directly from us today, then we do not have reason to believe, based on our investigation, that your Arlo account was accessed without authorization.
How many Arlo accounts were impacted?
Our investigation has revealed that out of approximately two million Arlo customer accounts, only 34 customer accounts may have been impacted (approximately .0017% of Arlo accounts).
When did the attack originate?
We first observed the suspicious activity on May 25, 2018, and immediately initiated investigation into the activity.
Is the attack still taking place?
Based on our investigation, the attack ended on or around Sunday, May 27, 2018.
Who is behind the attack?
We do not know, but we have contacted law enforcement and will continue to cooperate with their investigation.
What did Arlo do in response to the attack?
Upon discovering the suspicious activity on May 25, 2018, we immediately launched a forensic investigation into the activity. On May 26, 2018, as a precautionary measure, we contacted (via email and push notification) all registered Arlo users to alert them of the suspicious activity. We also alerted the larger Arlo Community of the suspicious activity and posted the alert on social media. We have contacted law enforcement and the relevant regulatory authorities, and will continue to cooperate with them in their investigations. To the extent we believe an Arlo account may have been accessed without authorization, we have contacted any such impacted Arlo customers directly.
What should I do?
As a precautionary measure, we are recommending that all Arlo customers immediately change their Arlo account passwords. As always, we recommend the use of a unique, strong password or passphrase. For instructions on how to reset your password, please view the following article: How do I change my Arlo password?.
What if I cannot log into my Arlo account?
Restart your application, and click on the Forgot password option on the login screen to reset your password.
How do I create a strong password?
A strong password:
Doesn't contain your username, personal information, or obvious phrasing;
Mixes uppercase/lowercase letters, numbers, and symbols (like spaces, $, %, !, etc.);
Is longer than 8 characters.
Is a passphrase a good idea?
We often recommend the use of a passphrase. A passphrase is a series of words or a phrase that is meaningful to you, but obscure to others. Good passphrases are lengthy and involve special characters and/or numbers.
Should I ever provide a password/passphrase via email?
No. As a best practice, we caution our users not to transmit their passwords or passphrases via email. Arlo will ever ask you to provide your password or passphrase in an email.
What if I believe my account has been compromised? How can I contact Arlo customer support?
Contact customer support at https://www.arlo.com/en-us/support/contact.aspx.