IoT Company Wyze Discloses Data Leak Affecting 2.4 Million Users

Wyze, the makers of various smart devices have recently disclosed a data leak. The incident, which the company calls a ‘breach’, has affected around 2.4 million users.

Details Of Wyze Customers Exposed Online

Reportedly, the IoT vendors Wyze has confirmed a data leak. The incident first caught the attention of the cybersecurity firm 12security. Later, the video surveillance authority IPVM also confirmed the incident.

According to the details surfaced online, 12security found two unprotected Elasticsearch databases online that belonged to Wyze. As elaborated by the researchers,

both of their entire production databases have been left entirely open to the internet.

The databases included explicit information of the customers, potentially risking the security and privacy of around 2.4 million users.

Wyze Confirms Data Leak

While the firm initially remained silent, they later confirmed the incident in a post on the official forum. They also acknowledged the receipt of the report of data leakage on December 26, 2019. Regarding the exposure of two databases, they explained,

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

Whereas, regarding the information impacted, Wyze confirmed that the database included Wyze customers’ names, email addresses, email IDs associated with shared users, a list of all in-use cameras on the network, WiFi SSIDs, time logs, API Tokens, and the Alexa Tokens for 24,000 users. Moreover, it also included some explicit information as well. As stated,

Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users.

Regarding this information, Wyze stated that they had this information for about 140 beta testers for new hardware.

The databases remained exposed from December 4th to December 26th. Then, following the report, they closed the databases. So, for now, the customers are safe. Yet, the company is taking numerous measures to ensure security in the future.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients