Smart device firm data leak exposes information on 2.4 million users

Data leak by smart home device company Wyze exposes personal details of 2.4 million users including email addresses and health data

  • Human error led to the database’s security protocols being temporarily removed
  • Compromised information also included WiFi names and smart device details
  • In light of the incident Wyze have said they will review all their security policies
  • Affected users should log back in to their account and re-link other services
  • Impacted smart device owners should be wary of potential phishing attempts 

A data leak by smart home device manufacturer Wyze left the personal details of 2.4 million users exposed on the internet for more than three weeks.

Among the compromised information was user email addresses, WiFi network names, smart device details and the health statistics of a limited number of users.

Founded by former Amazon employees, the Seattle, Washington-based firm specialises in inexpensive smart cameras, light bulbs, plugs and security devices. 

Wyze has now secured the database and forced users to reset their account passwords, as well as their connections with other services like Amazon’s Alexa or Google assistant. 

Scroll down for video

A data leak by smart home device manufacturer Wyze left the personal details of 2.4 million users exposed on the internet for more than three weeks. Pictured, a Wyze smart camera

WHAT SHOULD AFFECTED WYZE USERS DO NOW? 

Wyze is reportedly working on emailing all the impacted users.

In the meantime, the firm is encouraging its users to practice vigilance online. 

‘A 3rd party may have your email address,’ said Wyze co-founder Dongsheng Song.

‘Be aware of spam or a phishing attempt,’ he added.

‘We’ve logged you out of your Wyze account.’ 

‘You will need to log back in and re-link your Alexa, Google Assistant, or IFTTT integrations if you use these services and haven’t done so yet.’

The breach was first identified on December 26, 2019 by consulting firm Twelve Security, and subsequently confirmed by video surveillance authority IPVM.

According to experts from Twelve Security, the exposed database contained information on around 2.4 million Wyze users — around a quarter of which were based in the US, with the rest scatted across the UK, Egypt, the UAE and Malaysia.

Data compromised in the leak included usernames and associated emails, Alexa tokens for users who had connected their devices to Amazon’s virtual assistant, as well as information on specific Wyze devices and their wireless network names.

Furthermore, health stats — including height, gender and weight — were also exposed for 140 users who had been beta-testing Wyze’s upcoming smart scale product.

‘We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,’ Wyze co-founder and chief product officer Dongsheng Song wrote in a forum post on December 27, 2019.

‘We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created,’ Mr Song wrote.

‘However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

‘We are still looking into this event to figure out why and how this happened.’

According to Wyze, the compromised information did not include any passwords, nor personal financial data, physical addresses or ‘government-regulated’ personal information.

Founded by former Amazon employees, the Seattle, Washington-based firm specialises in inexpensive smart cameras, light bulbs, plugs and security devices

Mr Song denied Twelve Security’s report that the compromised information included the bone density and daily protein intakes of the smart scale testers — and the claim that Wyze was sending user data to the Alibaba Cloud in China.

He also refuted the allegation that the firm had experienced a similar data breach earlier this year. 

‘We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true,’ Mr Song added.

‘We’ve always taken security very seriously, and we’re devastated that we let our users down like this.’

‘This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.’

‘We are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward.’

WHAT IS THE INTERNET OF THINGS? 

Although the term ‘Internet of Things’ (IoT) first appeared in 2005, there is still no widely accepted definition. 

IoT includes gadgets bought by consumers, as well as products and services designed for businesses to help machines ‘communicate’ with each other. 

For example, the term IoT can include the Radio Frequency Identification (RFID) tags businesses place on products in stores to track their inventory, or sensors that monitor electricity use in hotels. 

Source: Read Full Article