Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Unprotected Database Leaks Data of Wyze Users

An unprotected database was found to have exposed the data of all Wyze users who created an account before December 26, 2019.

An unprotected database was found to have exposed the data of all Wyze users who created an account before December 26, 2019.

Seattle, Washington-based Wyze Labs is the creator of affordable smart home products that aim to provide users with the same capabilities as more expensive systems. The company’s first product was WyzeCam, a remotely-controlled smart home camera.

Following a report last week of an exposed database containing a great deal of information on Wyze users, the company stepped forward and confirmed the leak, while also revealing that it had launched an investigation into the matter.

The initial report on the leak suggested that the database contained usernames and emails of those who connected the smart cameras, along with the emails of those they shared camera access with, a list of all cameras in the home, nicknames of these cameras, device model, and firmware.

Moreover, the leak reportedly included WiFi SSID, internal subnet information, API tokens for access from iOS and Android devices, Alexa tokens for 24,000 users, and personal information such as height, weight, gender, bone density, bone mass, daily protein intake, and other health information for a subset of users.

Immediately after learning of the incident, Wyze pushed a token refresh to all users, forcing them to re-login and re-link integrations with Google Assistant, Alexa, and IFTTT.

The next day, the company revealed that the exposed database, which contains only part of the data stored on the main production servers, was created on December 4, 2019, as part of an “internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.”

The database, the company says, contained customer emails, camera nicknames, WiFi SSIDs, Wyze device information, profile photos, body metrics for a number of beta testers (140 external beta testers), and limited tokens associated with Alexa integrations.

Advertisement. Scroll to continue reading.

“User passwords or government-regulated personal or financial information” wasn’t in the database and API tokens for iOS and Android did not appear exposed, although they were refreshed as a security measure, Wyze says.

In an update this week, the company revealed that a second unprotected database was discovered after the investigation was launched, adding that it was not a production database either. However, Wyze did not provide details on the type of information included in that database.

The company became aware of the leak on December 26, when a reporter at IPVM.com created a support ticket on the Wyze forums. The breach, however, was discovered by Twelve Security, which claims that the company has ties to Chinese state-sponsored threat groups and that it also sends data to Alibaba Cloud, allegations that Wyze denies.

Wyze says that while it does have an office in China, the majority of its developers, engineers, and employees are located in Seattle. The company notes that it does not do any business with China’s markets or government, and that the team there uses separate servers that do not contain customer information.

According to Twelve Security, there is a connection between Wyze and Kingsoft, which became Cheetah Mobile, and which appears to be connected to Chinese threat groups. Moreover, Twelve Security points out that the founder and former CEO of Kingsoft, Jun Lei, is also the founder and CEO of phone maker Xiaomi.

Related: Data Breach Hits 22 Million Web.com, Register.com, Network Solutions Accounts

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.