Customer data was left unsecured on an Elasticsearch database, as per the Internet of Things vendor.
Wyze, an Internet of Things (IoT) firm, has an open Elasticsearch database that was leaking linked device information and emails of millions of customers.
Wyze creates smart home cameras and linked devices such as connected lamps and plugs that can be used with smart home assistants such as Amazon Alexa and Google Assistant. The database, which was made public in December, was accessed.
IoT Company Wyze Leaks Emails
According to Wyze, the server held customer emails, camera nicknames, WiFi SSIDs (Service Set Identifiers; or the names of Wi-Fi networks), Wyze device information, and body metrics “for a small number of product beta testers” who were testing new hardware from Dec. 4 until it was secured on Dec. 26.
According to reports, up to 2.4 million Wyze users were affected. Wyze did not confirm the figure, just saying that “some Wyze user data” had been compromised; Threatpost has contacted out for more details.
Transferred Some Data From Our Primary Production
In a blog post published over the weekend, Wyze claimed, “To help manage Wyze’s extraordinarily quick development, we recently began a new internal initiative to identify better ways to evaluate core business KPIs like device activations, failed connection rates, and so on.” “We transferred some data from our primary production servers to a more flexible database that is easier to query.
When this new data table was first established, it was password-protected. On December 4th, however, a Wyze employee made a mistake while using this database, and the existing security safeguards for this data were abolished. We are actively investigating this incident to determine why and how it occurred.”
Alexa tokens for 24,000 individuals
Alexa tokens for 24,000 individuals were also exposed in the database, allowing users to connect their Alexa devices to their Wyze cameras. There is no evidence that API tokens for iOS and Android were exposed, but Wyze opted to update them as a “precautionary measure,” according to the business.
“We compelled all Wyze users to enter back into their Wyze accounts yesterday evening to generate new tokens,” Wyze said. “We also unlinked all 3rd party integrations, requiring customers to relink interfaces with Alexa, Google Assistant, and IFTTT in order to restore service functionality. We’re also taking steps to increase camera security, which will result in your camera reboot in the coming days.”
According to Wyze, the database did not contain user passwords or government-regulated personal or financial information.
However, security experts like Troy Hunt, founder of HaveIBeenPwned.com, say the data leak is “serious.”
A reporter from IPVM.com, a news website that “provides evaluations, testing, and software for selecting and operating video surveillance products,” first alerted Wyze about the data leak via a support ticket on Dec. 26.
After informed Wyze of the leak, IPVM published an article outlining the leaked data “nearly immediately.” The piece was based on a post by Texas-based consulting firm Twelve Security, which outlined the leak and was also published on Dec. 26.
Alibaba Cloud, collects informat
Several claims made in these publications are false, according to Wyze, including assertions that the company sends data to Alibaba Cloud, collects information about bone density and daily protein intake, and suffered a similar incident six months earlier.
In the meanwhile, Wyze said on Sunday that it is sending email notifications to all affected clients and that it “will offer future updates as our investigation progresses.” iot company wyze
“We are once again truly sorry for this situation,” Wyze stated. “As we work through this, we appreciate your patience. We’ve read over everyone’s feedback and are continuing to collaborate on ways to strengthen our security and prevent similar incidents in the future.