Wyze has confirmed than an unsecured database containing millions of customers’ personal information was exposed to the public.
Cybersecurity firm Twelve Security discovered the breach and disclosed its findings on December 26, to which soon after Wyze, known for its smart cameras and connected home gadgets, confirmed the leak.
In a blog post, Wyze co-founder Dongsheng Song wrote that following an ongoing investigation and an auditing of all servers and databases, an unprotected database was discovered.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed,” Song explained.
Subsequently, customer information was exposed from December 4 to December 26, 2019. All users that created an account prior to December 26, 2019 have been affected.
Exposed information included Wyze nicknames, Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens. Passwords and personal financial data were not included in the database.
Twelve Security claimed that the database also included a large amount of health information, including bone density, height, weight and daily protein intake, to which Song confirmed that health information was included due to a beta test of a new smart scale product, but disputed that bone density and daily protein intake data was collected.
Twelve Security has also claimed that the data was being sent to the Alibaba Cloud in China. Song has disputed this and stated that Wyze does not utilise Alibaba Cloud, and despite it having manufacturing partners and employees in China, it does not share user data.
“We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true. We’ve always taken security very seriously, and we’re devastated that we let our users down like this,” Song added.
“This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.”
The post #Privacy: Wyze data breach exposes customer data of 2.4 million users appeared first on PrivSec Report.