Smart home tech maker Wyze Labs confirmed that the user data of over 2.4 million of its users were exposed by an unsecured database connected to an Elasticsearch cluster for over three weeks, from December 4 to December 26.
Wyze is a Seattle-based company that sells smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks.
Cybersecurity firm Twelve Security first discovered the security breach, and published its findings on December 26th, while IPVM, a blog focused on video surveillance products, was able to verify that its data had been affected by the leak.
The data included customer emails, nicknames of online cameras, IP addresses, WiFi SSIDs, device information, and Alexa tokens. The breach affected 2.88 million users worldwide, about half of whom are in the U.S. Also, Wyze says “body metrics” (physical information about beta testers of a forthcoming scale product) were also exposed. However, no personal or financial information was exposed nor user passwords, the company says.
Security researcher Dan Ehrlich tells ISMG he found two Elasticsearch databases and a MySQL production database exposed to the internet. He believes the MySQL production database may have been exposed for as long as 11 months.
Twelve Security even claimed that there were “clear indications” that the data was being sent to the Alibaba Cloud in China. Song’s forum post disputes this. He said that Wyze does not use Alibaba Cloud and that although it has employees and manufacturing partners in China, it does not share user data with any government agencies.
Ehrlich says he contacted a managing editor at the Wall Street Journal and asked her if she had three Wyze cameras installed in her home. She did. Ehrlich says she told him she was going to disconnect the cameras.
In another example, Ehrlich says he could see logs for a Los Angeles man’s Wyze camera, including an alert that showed to the minute when a package arrived one morning.
In response to the security lapse, Song says that Wyze has begun conducting an audit of all its servers and databases, and has discovered another unprotected database. He also said that the company is revisiting “all aspects” of its security guidelines. In the meantime, the co-founder said that Wyze users should beware of phishing attacks and that the company has logged all its users out of their accounts and unlinked their third-party integrations to try to close the security loophole caused by the compromised API and Alexa tokens.
Song said the exposed database — an Elasticsearch system — was not a production system; however, the server was storing valid user data. The Elasticsearch server, a technology for powering super-fast search queries, was set up to help the company sort through the vast amount of user data.
As a direct result of these measures, all Wyze customers will have to log back in the next time they need to access their accounts and relink their Alexa, Google Assistant, or IFTTT integrations.
Secure Your Organization’s Mind with Securemind.se