Many people spent last week exchanging gifts, wearing ugly sweaters and eating copious amounts of food. The developers at Wyze, an Internet of Things (IoT) company mostly known for its smart home cameras, instead spent much of the week investigating claims that its unprotected databases had leaked customer data. The company said on December 27 and December 29 that those claims were correct.
Wyze co-founder Dongsheng Song provided details about the company's investigations via a forum post that's been updated several times since its publication on December 26. The first update confirmed initial reports from Twelve Security and IPVM that claimed the company had exposed customer information. Here's what Song said in the update he made to his forum post on December 27:
"Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th. [...] The vulnerability started December 4th and did not involve any of our production data tables. While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations."
The company has refreshed its API tokens--which has required all of its users to sign back in to its mobile apps and online services--in response. It also unlinked its products' connection to Alexa, Google Assistant and IFTTT as well. Dongsheng Song said the company would also be "taking action to improve camera security, which will cause your camera to reboot in the coming days" but didn't offer details about those updates.
Song updated the forum post again on December 29 to reveal another leak:
"We have been auditing all of our servers and databases since then and have discovered an additional database that was left unprotected. This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak. We want to thank the Wyze community member who contacted us privately about this shortly after our 12/27 update. Their assistance helped us address this vulnerability quickly that evening."
Song claimed that Wyze has planned to email affected users about the data leak "in the near future." Right now it seems the company is still investigating both incidents to determine why the databases were exposed, how much data was affected by the leaks, and what it needs to do to improve its security. IPVM and Twelve Security reported that some 40 million records and around 2.4 million users were exposed.
Wyze currently sells two internet-connected cameras, a smart light bulb, a connected wall plug and a package that includes both motion sensors and contact sensors. Song's reference to "body metrics for a small number of product beta testers" suggests the company plans to release an internet-connected scale as well. It's not clear which products were affected by the leaks covered in Song's forum post.