Odd Events

Did smarthings get hacked??

This evening many of my cloud connected lights and devices turned off multiple times. Crazy thing is my hub is disconnected and sitting in a box as I moved to hubitat. I never disconnected my smarthings cloud integrations so it seems like those could have been executes still. I also received a notification from smarthings on my smartphone that my hub is online.Crazy…am I losing it?

It seems like something was executed remotely or from the app without my actions. Anyone seen this? Anyway to troubleshoot?

Here is a screen shot when I opened the app.

Cloud-2-Cloud connected devices will still be linked to SmartThings, unless you explicitly break/remove those connections. Also, since all of those cloud-connected device automations run in the ST cloud, even with your ST hub unplugged, they will still occur.

But how would that get executed without any action by me? I saw dozens of routines run.

Why did the app notification saying my hub was online show on Android?

I’m hoping there is a logical explanation Im missing here. Any help is appreciated to chase this down.

It sounds like you may still have SmartThings Routines/Rules/Pistons/Automations defined. Just a guess. Unless you never had a single ST automation scheduled to run automatically, based on a schedule, or presence, or other event… they will still attempt run.

I can’t answer that one. But the images you posted above all mention that your hub is OffLine.

I definitely never had my goodnight or all lights off routines scheduled and they ran multiple times… Smarthings has also been disconnect for probably a year and never seen any of this until this evening.

Something is fishy.

Fair enough! I believe you. I was just hypothesizing… :slight_smile:

Appreciate the ideas…i hope it is something logical and happy to try and track this down. Worrisome if somehow this is getting executed remotely.

Do you have connections to external services such as ActionTiles, WebCoRE, IFTTT, etc. ?

I received a notifcation from both the classic and new app in my android tray. As mentioned, I haven’t run smartthings in about a year.

I previously used Action Tiles with smarthings, but abandoned that when I moved. But did have the ability previously to execute these actions from there.

Could they remotely execute without my action?

If the SmartApp is still installed and authorized and permission to execute Routines was previously granted it is possible that’s what triggered these events.

Would that cause a notidication in the android smarthing apps saying my hub is online? Attached is example. Wouldnt think Action tiles could do that…but appreciate feedback.

I’m definitely not using action tiles for about a year…likely still connected but how would we troubleshoot to verify they are sending without my action to confirm/deny?

Looks like you still have quite a few cloud connected devices connected to SmartThings. You also have webcore running which can cause the actions you are seeing. If you are using hub connect for hubitat you will also see some device events from that. If you want to disable these behaviors, you need to go into the IDE or mobile app and remove these devices and integrations.

I’ve never really used webcore or set it up to run these actions (like all lights off, goodnight routine). That app has been installed for >2 years and never seen those so would be surprised by that.

Feedback is pointing to Action Tiles sending these routine actions. I have no idea why they would do this without my actions, but following up there to try and troubleshoot.

@625alex is there any reason a stale AT account would start firing off commands?

@jody.albritton, how is it possible that the Hub went Online? That’s definitely weird.

1 Like

To me it looks like a shedload of events from a seemingly implausibly long time ago (like months and months) have been trapped in ‘the system’ for all that time, and suddenly come bursting out.

There seems to be hint of a logical sequence there but highly time compressed, and if a genuine hub online event that caused the notification where could it have come from with the hub in a box? It just doesn’t look like new activity, it looks really old.

Would the usual trick of looking at the events in the IDE, set to ‘all’ rather than ‘displayed’, be helpful in this case?

UPDATE: By ‘it looks really old’, I meant it looks like new activity in response to really old events.

Hard to say because there are still active devices and integrations (cloud) that are generating lots of events. I don’t see any event where the hub reported itself to be online. Last boot was many months ago.

I got the notification that the hub was online in the screen shot on my phone in the moment it happened, and then later that evening when I turned on my tablet (the screen shot below is from my tablet as I dismissed the other on my phone).

In my smartphone classic app notifications this all took place between 8:08PM and 8:09PM on 6/3. 18 routines were run. Nothing before (since I stopped using) and nothing since yesterday.


Not sure where I look in the events in the IDE…but happy to share if someone can point me there.