Wyze implemented a token refresh for all of its users after learning of a security incident that allegedly leaked user data.
On December 26, Twelve Security reported that smart home camera provider Wyze had left its production servers open to the web. The security stated that the misconfiguration had exposed the sensitive information of 2.4 million users including their usernames, email addresses, height, weight, gender, bone density, bone mass, daily protein Intake, and other health information. It also said that the incident had exposed the email addresses of family members and other users who had shared access to a camera.
Twelve Security said that it had decided not to notify the company before publishing its article because of “clear indications that the data is being sent back to the Alibaba Cloud in China.” It also said that an earlier incident involving the camera provider had informed its decision.
IPVM, a reviewer and tester of video surveillance technology, wrote in its own blog post that it had spoken with Twelve Security, reviewed its findings and confirmed the incident.
A day after Twelve Security published its article, Wyze Co-Founder and Chief Product Officer Dongsheng Song said that the company had received a report of a data leak. He explained that the incident was limited to a flexible database on which teams had copied data from the company’s production servers. That information included customer emails as well as camera nicknames, body metrics and device information of approximately 140 beta testers along with some tokens for Alexa integrations.
Song went on to clarify that a Wyze employee had mistakenly removed the proper security protocols on that database on December 4, thereby leaving it exposed until December 26. He also noted that many of the details reported by Twelve Security were untrue. As quoted from his forum post:
Several of the things that have been reported are not true. We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing. We did not have a similar breach 6 months ago.
In response to learning of Twelve Security’s article, Song said that the smart camera provider had attempted to verify that a data breach had occurred. That effort was unsuccessful, according to Song, prompting the company to contact Twelve Security for further clarification about the incident.
It had not received a response at the time of writing.
Following its initial update, Wyze discovered an additional non-production server that was unprotected. It said it was in the process of investigating the circumstances for its exposure. Song disclosed that the additional server had not contained passwords or financial data at the time of its discovery.
Amid Wyze’s ongoing investigation into what happened, Song said that the company took the precautionary step of resetting all users’ tokens. That means users will need to log back into their accounts and re-link their Alexa integrations. He also disclosed that customers should expect to receive an email explaining what happened in the near future.
In the meantime, Wyze customers should consider using these tips to change their account passwords out of an abundance of caution. They should also implement multi-factor authentication on their accounts if they haven’t done so already.