A Wyze camera security breach has seen a large amount of personal data leaked for more than 2.4 million users…
TwelveSecurity, which detected the breach, says it has never before seen such a serious breach.
Personally, in my ten years of sysadmin and cloud engineering, I never encountered a breach of this magnitude […]
Both the company’s production databases were left entirely open to the internet. A significant amount of sensitive information generated by 2.4 million users, all coincidentally outside of China, was the result.
So what did the information include? The following:
- User name and email of those who purchased cameras and then connected them to their home
- 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Wyze has confirmed the leak.
Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th […]
We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.
The vulnerability started December 4th and did not involve any of our production data tables. While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.
It has, however, said that it has since discovered that ‘an additional database’ was left unprotected.
The company says that no passwords or financial data were included in the Wyze camera security breach and that it will be emailing affected users.
As with any breach, we would recommend all Wyze users change their password as a precaution, and also being especially alert to phishing attempts. Given the amount of personal data that was leaked, it would be easy for a hacker to spoof an email from Wyze that would appear genuine.
FTC: We use income earning auto affiliate links. More.