Wyze, an IoT devices maker, has reported their servers had a data leak and exposed 2.4 million customers’ records that included email addresses, nicknames, WiFi SSID identifiers and more. The leak was reported to be an accident made by an employee who left the internal database unprotected for 22 days, beginning with December 4th, 2019.
The company sells smart devices such as smart door locks, security cameras, smart plugs, smart lightbulbs and other products.
Security Protocols Accidentally Removed on December 4th
Wyze co-founder Dongsheng Song published a post on Christmas about the exposed internal database, explaining in detail what happened:
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.
We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
Cyber-security consulting firm Twelve Security discovered the issue and reporters from IPVM have also verified it, and Wyze fixed it in just 14 minutes after they were notified, added the post from Song:
“We were first contacted through a support ticket at 9:21 a.m. on December 26 by a reporter at IPVM.com. The article was published almost immediately after (Published to Twitter at 9:35 a.m.). It was published in conjunction with a blog post from a private security company also published on December 26th. We were made aware of this article at ~10:00 a.m. from a community member who had read the article.”
Wyze Denied Twelve Security’s Claims of Wyze API Tokens Being Leaked
Song confirmed the customer’s data was exposed in the leak, however, they denied that Wyze API tokens were exposed during the leak. Twelve Security claimed that they did found API tokens that could have allowed hackers to access users accounts from an iOS or Android device.
Twelve Security claimed that those user data was sent to an Alibaba Cloud server in China, but Song denied everything. He did admit that Wyze collected health information (height, weight and gender information) from 140 users that had tried their smart scale product which was in beta-testing.
Wyze decided to log out all Wyze users from the accounts and unlinked all the third-party app integrations its users had connected as a security measure. This way, new Wyze API tokens and Alexa tokens have been generated once users reclogged and relinked their devices to Wyze accounts.