Wyze, an IoT devices maker has just reported about a data leak from their servers, which resulted in exposing of 2.4 million customers database that includes email addresses, nicknames, WiFi SSID identifiers etc.
Whistleblowing External Sources
The leak was initially reported by Twelve Security and later confirmed by IPVM. Immediately, Wyze responded with enough data in its forum. The leak was reported to be an accident, as the internal database was left unprotected by an employee since December 14th, 2019.
The company realised this incident at 10 AM, when a support ticket was raised by an IVPM reporter at 9.21 AM (26th December), and immediately published on Twitter (at 9.35 AM), along with Twelve Security’s post. Dongsheng Song expressed his dissatisfaction in this disclosure methodology, as they were given just 14 minutes to fix it!
Song explained the leak related to their Elasticsearch system, a new tech to handle their queries quickly. This was told to be a project initiated recently to handle their rapid growth. Song said,
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.”
Though this was the system compromised, he assured that there were no sensitive details being leaked as passwords or financial information of their users. The data leaked is of:
- Email addresses of Wyze customers
- User assigned nicknames to their Wyze security cameras
- WiFi network SSID identifiers,
- Alexa tokens to connect Wyze devices to Alexa devices
While Song admitted collecting health information of 140- member group who’s under beta testing of their new product, he denied claims of Twelve Security of Wyze APIs being exposed and user data being sent back to Alibaba Cloud in China.
Song closes the post on a, not of sorry of this incident and assures to add their ongoing investigation results soon. Wrapping this year in such similar path is the company Ring, a famous smart security gadget maker which was alleged by many customers to be compromised somehow, and used for watching and communicating with their children by unknowns.