camera and smart device maker Wyze Labs has confirmed a data breach that left
exposed a database containing information on reportedly 2.4 million of its users.
Dongsheng Song confirmed the data breach on December 27 and said the exposed
database contained a large amount of personal, product and some medical
and email of those who purchased cameras and then connected them to their home.
of any user they ever shared camera access with such as a family member.
of all cameras in the home, nicknames for each camera, device model and
SSID, internal subnet layout, last on time for cameras, last login time from
app, last logout time from app.
Token for access to user account from any iOS or Android device.
Tokens for 24,000 users who have connected Alexa devices to their Wyze camera.
weight, gender, bone density, bone mass, daily protein intake, and other health
information for a subset of users.
detailed the chain of events noting the company received notice of the open
database on December 26 when the cybersecurity firm Twelve Security posted news of the
case, both the company’s production databases were left entirely open to the
internet. A significant amount of sensitive information generated by 2.4
million users, all coincidentally outside of China, was the result,” Twelve Security
Wyze has not
confirmed the number of its customers affected.
itself, which had just been created, was initially set up correctly, but an
employee made an error on December 4 leaving the information exposed, Song said.
some data from our main production servers and put it into a more flexible
database that is easier to query. This new data table was protected when it was
originally created. However, a mistake was made by a Wyze employee on December
4th when they were using this database and the previous security protocols for
this data were removed. We are still looking into this event to figure out why
and how this happened,” Song said in a post
on the company’s website.
As an added
precaution Wyze has refreshed its iOS and Android API tokens even though there
is no evidence they were compromised.
is in the process of information those affected but did not say when the
notifications would be sent.
apologized for the breach but defended his company’s overall approach to securing
heard people say, “You pay for what you get,” assuming Wyze products are less
secure because they are less expensive. This is not true. We’ve always taken
security very seriously, and we’re devastated that we let our users down like
this,” he said.