Personal data for more than 2.4 million users have had their personal data exposed in a Wyze camera security breach. The breach, first detected by TwelveSecurity, is the largest breach of its type ever seen, says the blog.
Personally, in my ten years of sysadmin and cloud engineering, I never encountered a breach of this magnitude […]
Both the company’s production databases were left entirely open to the internet. A significant amount of sensitive information generated by 2.4 million users, all coincidentally outside of China, was the result.
So what did the information include? The following:
- User name and email of those who purchased cameras and then connected them to their home
- 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Wyze has confirmed the leak.
Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th […]
We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.
The vulnerability started December 4th and did not involve any of our production data tables. While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.
The company later said it has discovered that “an additional database” was also left unprotected. However, the company says no passwords or financial data were exposed in the breach, and that it will be emailing affected users.
Wyze users are recommended to changes their passwords as a precaution, and to stay alert for any phishing attempts, such as emails appearing to be from Wyze.