Wyze, maker of smart home devices such as cameras, locks, and lightbulbs, has confirmed several data breaches that left personal data linked to millions of its customers exposed online.
The first leak was spotted by cybersecurity firm Twelve Security and reported on December 26, while the second was reported a short while later by a Wyze community member. Twelve Security suggested the data belonged to as many as 2.4 million Wyze customers.
The data, which remained exposed from December 4 through December 26, 2019, included emails, camera nicknames, Wi-Fi network IDs, Wyze device information, and also body metrics for 140 people who were testing a new piece of Wyze hardware.
The Seattle-based startup said that no financial information or passwords were held in the exposed databases.
What happened?
Confirming the mishap in messages posted on a Wyze forum, company co-founder Dongsheng Song said it resulted from an effort to “find better ways to measure basic business metrics like device activations, failed connection rates, etc.” Song said his team had transferred data from its main production servers to a more flexible database that was easier to query.
“This new data table was protected when it was originally created,” Song explained. “However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
He added that the company, which launched two years ago, will provide a more detailed explanation once its investigation is complete. Song also strongly denied Twelve Security claims that Wyze data “is being sent back to the Alibaba Cloud in China.” He said that while the company does have official Wyze employees and manufacturing partners in China, it “does not share user data with any government agencies in China or any other country.”
In an FAQ section about the data breach, Song told users that in case the email addresses fall into the wrong hands, customers should be aware of phishing attempts where criminals try to trick you into giving up log-in information for online services.
Wyze: “We’re devastated”
Apologizing to customers, the Wyze co-founder said: “We’ve always taken security very seriously, and we’re devastated that we let our users down like this. This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.”
Wyze’s misstep caps a grim year for data breaches. In the spring, data linked to 80 million households was leaked online, and in October more than 7 million Adobe customers had their personal information exposed. Facebook, meanwhile, saw data belonging to 540 million of its users exposed by third-party apps, and earlier this month information linked to 267 million Facebook users was found on a hacker forum. Other serious breaches involved financial services firm Capital One and photo site 500px, among others.
We’d like to think 2020 will see companies taking much better care of our personal information online, but we’re not holding our breath.