The breach was not responsibly disclosed and remains unconfirmed.
Update 12-28-19: Wyze has confirmed that version of its customer database was, in fact, open for access from December 4 to December 26. This was a copy of portions the production database, including customer emails, camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. Wyze confirmed that the copied database had the previous security protocols removed, and Wyze is investigating how this happened during the copy.
What you need to know
- Wyze’s database was allegedly publicly exposed to the Internet, a breach reported by a security blog.
- Wyze has yet to confirm the breach but has signed out all users as a security measure.
- The breach was not reported in a responsible manner and leaves several questions surrounding its validity.
Wyze, the maker of affordable home security products, has allegedly suffered a data breach in which 2.4 million customer database records have been publicly exposed to the Internet. Twelve Security ran an article on December 26, 2019, stating that they found an open path to the company’s Elasticsearch database which contained some extremely sensitive information including exact home network details, locations of the cameras in the home, and even personal information on users.
In response to the post, Wyze issued a force sign-out of all users connected to its system and doubled down on its database security within 6 hours of being notified of Twelve Security’s post earlier in the day. Wyze states that it was unable to replicate the steps necessary to access its database publicly and has yet to verify that any information was leaked at all. Security website IPVM originally notified Wyze of Twelve Security‘s post via support ticket and shows evidence that they have confirmed the exploit, citing several screenshots as evidence.
As it stands, Wyze Camera users will need to log back into their accounts and generate new 2-factor authentication (2FA) codes. Any Wyze cameras that have been linked to Alexa, Google Assistant, or IFTTT will need to be re-linked in order to create a new security token. Users are also encouraged to change their account passwords. Wyze also suffered heavy traffic load over the past twelve hours since the database changes were made and had issues with their 2FA servers, but have since ironed those out. Users that had trouble logging into their accounts should no longer have problems, according to the company.
Twelve Security doesn’t appear to have responsibly disclosed this breach by reporting it to the offending party first (in this case, Wyze). This has made it difficult to identify how large the breach was before being disclosed and what might have actually been accessed. Wyze is in the middle of an investigation into the breach and has stated that it will report back once it has more information.
Wyze Cam Pan vs. Wyze Cam