Security camera manufacturer — Wyze — admitted to a data leak that exposed data on more than 2.4 million users.
The leak, which was first discovered by cybersecurity firm Twelve Security, was the result of an exposed server. In a blog post, the Twelve Security researcher who disclosed the leak wrote that Wyze’ production database was left entirely open with anyone able to access it.
The exposed information includes:
- User name and email of those who purchased cameras and then connected them to their home
- 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
In a forum post, Wyze co-founder, Dongsheng Song, confirmed the breach, and wrote that the exposed server was not a production database, but instead a “flexible database,” which allowed customer data to be more quickly queried.
Additionally, the co-founder said an employee error caused the company’s server security protocol to be removed on December 4th, leaving the database exposed until December 26 when the company became aware of the leak.
All accounts created prior to December 26, 2019, are affected by the leak.