IoT vendor Wyze announced that details of roughly 2.4 million customers were accidentally exposed online.
The company produces
The leak was reported to Wyze on December 26th at around 10:00 AM and the company immediately secured the database and launched an investigation.
The Elastic server was discovered by
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
The data were contained in an Elasticsearch server database that was set up by Wyze for an internal project.
According to Twelve Security, the exposed data includes:
Experts from Twelve Security claimed they found API tokens that would have allowed hackers to access Wyze user accounts from any iOS or Android device.
The incident was independently verified by the authors of the blog IPVM that focuses on video surveillance products.
Song pointed out that both Twelve Security and IPVM disclosed the leak without giving the company the time to fix the issue.
“We were first contacted through a support ticket at 9:21 a.m.
Song pointed out that several of the things reported by Twelve are not true, for example he denied that Wyze sends data to Alibaba Cloud in China.
Song also added that Wyze only collected health data from 140 users who were
In response to the incident, Wyze log out all Wyze users out of their accounts and
(SecurityAffairs – data leak, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.