IoT provider Wyze confirms Massive Data Leak

Image Credit : WYZE

Wyze smart home device provider company has suffered a data leak exposing data of around 2.4 million customers.

Wyze provides smart home products, smart devices, and wireless cameras. It aims to make smart home technology accessible to everyone. Wyze believes in less margin and focusing on the customer’s experience.

Wyze received a support case from IPVM about the report “Massive Data Leak” posted on 26 December 2019. According to the report, Wyze’s Elastic search databases not properly secured and left exposed to the internet. Report originally published by an anonymous author on Twelve Security Blog, a Cybersecurity firm. Data leak later confirmed by Wyze’s Co-founder Dongsheng Song in a forum post on 27 Dec 2019.

Dongsheng confirmed Wyze user data was not properly secured and left exposed to the internet for 22 days between 4 December 2019 to 26 December 2019. Dongsheng also said the exposed elastic database server was not production. However, they copied a subset of real data to the secondary server from the production server. Data was safe when the secondary server created But, one of the employees on 4 December 2019 removed security protocols and left it vulnerable. They are still investigating the actual reason behind it.

Wyze is still investigating and not confirmed breach of any kind but, an article published by IPVM and 12Security says the following data was exposed:

• User name and email of Wyze camera owners.
• Personal and Health-related information of the user like Gender, Height, Weight, Bone Density, Bone Mass, etc.
• Email of a user who connected to the camera.
• List of all home cameras and its details like nicknames, device model, last login/logout time and firmware.
• API Tokens for access to the user account from any Mobile device.
• Alexa Tokens for users who have connected Alexa devices to their Wyze camera.

Dongsheng said exposed data did not contain user passwords or any financial information.

After verification of the data leak, Wyze increased one more protection layer to its database servers and pushed a token to all users so users automatically logged out from their account and forced to log back into their app. Wyze also unlinked all 3rd party integrations which require users to re-link with Alexa, Google Assitant, and FITTT.

If you are Wyze user and having any trouble logging into the Wyze app, please contact the customer support team.

Also Read: The Best IoT Devices to Buy in 2020