As previously reported, last Friday (May 25, 2018) an unknown entity or entities initiated a brute force attack on our system, attempting in mass to log into Arlo accounts by reusing credentials we believe were illicitly taken from an unknown third-party unrelated to Arlo or NETGEAR. Attacks like this are sometimes referred to as "credential stuffing.”
From our investigation, there is no indication that the credentials were obtained from Arlo's systems or that Arlo's systems experienced a breach.
Upon discovering the suspicious activity, we immediately launched a comprehensive investigation. We have contacted law enforcement and are cooperating with them in their investigation of the matter. As part of our investigation, we have identified a small number of Arlo accounts that may have been accessed without authorization. We have contacted directly those Arlo account owners we believe may have been impacted by the attack. If you did not receive an email directly from us today, then we do not have reason to believe, based on our investigation, that your Arlo account was accessed without authorization.
As previously communicated, as a precautionary measure, we encourage all Arlo customers to change their Arlo account password. For instructions on how to reset your password, click here.
As always, we recommend the use of a unique, strong password or passphrase, and recommend that our users never transmit passwords or passphrases via email. Neither Arlo nor NETGEAR will ask you to provide your password or passphrase in an email.
We apologize for any inconvenience this may have caused. If you have further questions about the matter, please click here to view our FAQ.