For once, the real story isn't as bad as it seems. A researcher has figured out how to install malware onto an Echo that causes it to stream audio back to a remote controller, but:
The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.
The way to implement this attack is by intercepting the Echo before it arrives at the target location. But if you can do that, there are a lot of other things you can do. So while this is a vulnerability that needs to be fixed -- and seems to have inadvertently been fixed -- it's not a cause for alarm.
from Turning an Amazon Echo into an Eavesdropping Device