'I'm looking out your front door': Stranger had access to homeowner's security cameras
Company apologizes, blames problem on email mixup
Last Monday, Shelan Faith of Saskatoon received a letter from a stranger. Moments later she burst into tears.
The author had never met Faith but had a surprising amount of information about her and her home — what she looked like, people who had rung her doorbell and what the inside of her child's bedroom looked like.
The letter, though well-intentioned, was "terrifying," she said.
"I don't think I stopped shaking for days… just to know that somebody could see into my home or access my home."
The information had been gleaned from her home security system and its cameras by another client of the same company, Vivint Home Security, on the other side of Saskatoon.
Faith said the author had not written to frighten her, but to alert her to the privacy breach.
"We could have easily been broken into or harmed if this had been in the wrong hands," Faith said.
To prove the letter was not a hoax, the writer included specific details about events at her home, such as when her garage door was opened, and screenshots of notifications she had received about Faith's system. The details matched.
The author told her she had tried but failed to get Vivint to resolve the problem at their end.
"It was one of those 'Could you please hold? I have to get a supervisor' calls," the letter says.
Vivint has since acknowledged the breach and said it was caused by human error by the technician who installed Faith's system.
But the Utah-based company — which had almost 1.4 million subscribers in the U.S. and Canada as of July, according to its latest quarterly report — said it was not contacted about the problem until last Monday, when Faith called.
'Nobody believed me'
Faith took down the cameras — one on her doorstep and another she used as a baby monitor in her child's bedroom. But she says Vivint took days to deactivate the system and told her she would have to pay to cancel her account.
"Nobody believed me, I physically had to email them this letter to prove that I wasn't lying," said Faith.
It's the result of a human installation error in connecting to the wrong email address.- Vivint Home Security
"I mean if somebody can tell me what I look like, what my child's bedroom looks like, who has been ringing my doorbell. I mean, they can see through my system, I'm not making this up."
She said the company initially told her she would have to pay thousands of dollars to end her contract and get the security system out of her home.
The company has since confirmed it cancelled Faith's account without charge, on Friday, and sent her a refund.
Vivint apologized for the error in an emailed response to questions.
But in 2012, a Vivint customer in St. John's told CBC News he could see inside other people's homes. He too was told he had to pay to cancel his account.
Vivint said that error occurred when the company was using an outsourced security platform.
"[It is] one of the reasons we built our own smart home platform in 2014," said a spokesperson.
Installer feels 'terrible'
The spokesperson told CBC News the security system requires an email invitation to connect, but a technician used their own email account to connect the system for a customer who did not have an email account.
They said the two systems were accidentally connected when the technician went to the next installation.
The spokesperson said the technician felt "terrible" about the incident.
Faith said she has reported it to the Better Business Bureau and the Saskatchewan Information and Privacy Commissioner.
She also wrote a lengthy social media post alerting others to what happened.
"I still think everyone out there needs to know that this can happen and not to always trust your system," she said.