Wyze, a three-year-old US smart home company which produces cut-price security cameras, sensors and light bulbs, exposed the data of its 2.4 million users through much of December 2019.
The data, which included customer names and email addresses, plus nicknames of Wyze security cameras and information related to customer Wi-Fi networks, was held on an unencrypted database accessible by anyone who knew its online location.
Cybersecurity company Twelve Security first discovered the leaking database and reported on it on December 26. However, instead of following the industry-standard practice of informing a company about their leaking data privately and in advance of reporting publicly on the incident, Twelve Security did not contact the Seattle-based Wyze. Instead, the security group stated they found the breach to be a "malicious action," Twelve Security wrote on its blog, and encouraged U.S. authorities to investigate.
Blink Indoor Home Security Camera System with Motion Detection, HD Video, 2-Year Battery Life and Cloud Storage Included - 2 Camera Kit
"Since there are clear indications that the data is being sent back to the Alibaba Cloud in China, coupled with the fact a similar breach of Wyze occurred only six months ago [where a single Wyze camera failed to disassociate itself with Alexa when reset], a notice wasn't given to Wyze," wrote the cybersecurity firm.
The server was left unprotected from December 4 until December 26, Wyze later confirmed in a post on its user forums written by company co-founder Dongsheng Song. An update posted by Song on December 29 admitted a second exposed server was discovered, although this one does not contain passwords or personal financial data, claims the company.
Beyond the forum post, Wyze has yet to contact customers, but all users have been logged out of Wyze's systems, and must now create a new password to log back in to use their devices. They also need to re-connect their Alexa, Google Assistant and IFTTT accounts, if they want to continue using them with Wyze products.
"We are working on an email notification to all affected customers and plan to release it in the near future," Song said on December 29, 2019. "To balance thoroughness and speed, we will be sending the information that we have on hand and will provide further updates as we continue forward with our investigation...we are deeply sorry for this situation."
An earlier forum post by Song explained how employee error, while moving data from one server to another on December 4, had led to the customer information being exposed. Although not financial data was't included, customer email addresses, camera nicknames, Wi-Fi SSIDs, Wyze device details and also body metric data was exposed, including the height, weight and gender of approximately 140 people who are beta testing a new smart weighing scale being developed by Wyze. Song also responded to Twelve Security's claim of data being sent to a cloud server in China.
"Several of the things that have been reported are not true," he said. "We do not send data to Alibaba Cloud. We don't collect information about bone density and daily protein intake even from products that are currently in beta testing. We did not have a similar breach six months ago."
Going forward, all Wyze users are advised to keep an eye out for any potential phishing campaigns against them, as their name and email address may have fallen into the hands of those who send phishing emails in a bid to trick you into handing over financial information.
Wyze Cam 1080p HD Indoor Wireless Smart Home Camera with Night Vision, 2-Way Audio, Works with Alexa & the Google Assistant, One Pack, White - WYZEC2