Wyze Discloses Data Leak Exposing 2.4 Million Customers
In a deja vu moment, another smart device manufacturer is involved in a customer security hack.
On December 26, Wyze, a provider of home video cameras and smart home devices, announced a data leak with its servers that exposed the personal data of 2.4 million customers.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query,” Dongsheng Song, cofounder of Wyze and chief product officer, explains in a company post. “However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
“The vulnerability started December 4th and did not involve any of our production data tables. While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.”
This is happening at the same time as investigations into a number of Ring camera hacks are underway. In one case, a hacker accessed a Mississippi family’s Ring security camera and engaged in a conversation with an 8-year-old girl, suggesting he was Santa Claus. The intrusion was marked by a rendition of Tiny Tim’s “Tiptoe Through the Tulips” and a call for the girl to destroy her room.
In a statement to CNN, Ring insists that the weakness of the family’s account security — including a failure to engage two-factor authorization — contributed to the intrusion. “Customer trust is important to us and we take the security of our devices seriously,” the statement said, responding specifically to the Mississippi case. There are at least three other cases of device intrusions reported. “We have investigated this incident and can confirm it is in no way related to a breach or compromise of Ring’s security.”
The data Wyze was seeking to collect were business metrics such as device activations and failed connections. While the data leaked did not include passwords, it may have included biometrics like the height, weight, gender and other health information of its users. More notably, the information leaked indicates the number of cameras at a premise, their models, the internal subnet layout and the last time the cameras were on. Such information could potentially provide intelligence to bad actors about the security strength of a home.
As most people assign their devices with practical names, such as “Master Bedroom 1” or “Nursery Camera — Crib,” knowing the number of cameras a user owns and their names can provide a thief with a virtual map of locations for each camera in a home. While it’s possible that a home contains other security devices, most people practice brand loyalty, meaning that such information can potentially help a bad actor safely enter a home and avoid detection.
While a post from Twelve Security claims that bone density, bone mass and daily protein intake were leaked to a subset of users, Wyze denies this. “We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing.” The collecting and dissemination of such data without the customer’s consent is explicitly prohibited in the US under the Health Insurance Portability and Accountability Act — or HIPAA. This data could have been collected from external beta tests of several health devices the company plans to roll out in the future.
Wyze, at this point, is not mandating password changes. However, if you believe this breach affects you, you may want to change not only your passwords but also Wi-Fi SSIDs and the locations and nicknames of smart devices just in case.
It is also worth noting that this is not the only leak Wyze suffered. On December 29, the company posted an update. “We have been auditing all of our servers and databases since then and have discovered an additional database that was left unprotected,” the update reads. “This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak.”
Wyze was started in 2017 by several former Amazon employees. A competitor to Ring, the company offers low-priced and entry-level security cameras and smart devices.