A number of Chinese-made Ecovacs robot vacuums in many US cities were allegedly hacked, with the person responsible controlling their movements and also making them yell obscenities at their owners using onboarded speakers.

All the hacked robots—Ecovacs Deebot X2s—were manufactured in China, ABC reported. The publication itself hacked into one such robot to reveal that these models come with a major security flaw.

"It sounded like a broken-up radio signal or something," a lawyer whose device malfunctioned told the publication, adding, "You could hear snippets of maybe a voice."

He then discovered through the Ecovacs app that someone was controlling his robot vacuum's live camera feed as well as its remote control feature.

The user thought it was some glitch and did not pay much heed. Soon, the robot started moving again, and this time shouted expletives.

"I got the impression it was a kid, maybe a teenager [speaking]," the user told the publication, adding, "Maybe they were just jumping from device to device messing with families". This is when he decided to switch the device off.

He was worried that if someone gets to access the live camera feed of the device. they might be able to take pictures of him and his family in compromised states.

"I just thought of it catching my kids or even me, you know, not dressed," he said.

A number of users throughout the US reported such issues with their devices. In one case, a Deebot X2 chased the pet dog of its own through their Los Angeles home after going rogue.

In El Paso, an Ecovacs device shouted racial slurs at its own before it was plugged out.

The company later issued a statement regarding the same, in which it said, "Ecovacs conducted a thorough internal investigation at the end of May 2024 and found no evidence to suggest that any usernames and passwords were obtained by unauthorised third parties as a result of any breach of Ecovacs’ systems."

However, it did acknowledge that a credential stuffing event was responsible for the hacking.

Credential stuffing is when an individual uses the same username and password across a number of websites.

"This investigation also identified a credential stuffing event, in which a third party attempted to use email addresses and passwords to try to gain access to Ecovacs’ customer accounts. There were significantly more attempts to log-in than the average daily amount, by a factor of 90:1. These all from the same IP address, which was identified as coming from both an unusual device, and an unusual location. This IP address was immediately blocked," the statement further read.