Wyze Data Leak Exposes Personal Information of Nearly 2.5 Million Customers

News Wyze Data Leak Featured

We talk often at IoT Tech Trends about the potential of important personal information being vulnerable because of smart home Internet of Things devices. Many times, it seems the device manufacturers aren’t very upfront about the lack of security and data breaches.

But Wyze is different. Regrettably, the company suffered a data leak that exposed the personal information of 2.4 million customers. However, they are owning up to it and taking quick action to mend the situation. It does nothing to change the leak, but it is a refreshing change.

Wyze Data Leak

Wyze, a manufacturer of security cameras, admitted on December 26 that it had been made aware of a “data Leak” that affected the personal information of nearly 2.5 million customers. This was caused by “a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” wrote Wyze co-founder and chief product officer Dongsheng Song in a company post.

He also explained exactly how this leak occurred. “We copied some data from our main production servers and put it into a more flexible database that is easier to query,” Dongsheng explained. “This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”

Again, while this doesn’t do anything to change the fact that this private information was exposed, it should also be notable that this was not a failure of Wyze to protect information as a general rule. This was an employee who didn’t follow proper security protocols.

News Wyze Data Leak Content

This leak includes user names and emails as well as the emails of family members and others who camera access was shared with, nicknames for the cameras, device and firmware Wi-Fi SSID, last login and logout, the tokens for access from iOS or Android devices, Alexa devices, and more.

In the quoted list, Wyze also says height, weight, gender, bone density, bone mass, and daily protein intake information was also leaked for a subset of users, yet it also says in the original post, “We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing.” This bit of confusion has not been cleared up.

How Your Information Will Be Handled in the Future

The company explains that this leak happened “to help manage extremely fast growth of Wyze.” This led them to take on this “internal project” to “find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query.”

To remedy the situation, it explained that “all Wyze user accounts were logged out and forced to log in again (as a precaution in case user tokens were compromised as alleged in the blog post). Users will also need to relink integrations with The Google Assistant, Alexa, and IFTTT.”

While it’s a bit of a pain to log back in again, doing so is important for protecting information in the future. Wyze is not forcing users to reset their passwords, as the passwords weren’t stolen. However, it’s certainly advisable to reset it anyway. It’s also recommended to rename other information that was leaked, including internal Wi-FI SSIDs and cameras. Taking these steps, as well as repositioning cameras, can help eliminate a further data leak.

Do you think Wyze is taking the actions it should to tackle this situation? Tell us your thoughts in a comment below.

Image Credit: Davidlamma via Wikimedia Commons) and public domain

One comment

  1. “Wyze Data Leak Exposes Personal Information of Nearly 2.5 Million Customers”
    WHY does Wyze have this customer data??? WHY does the camera have to report back to the mother ship??? Just goes to emphasize the stupidity of the current “smart” technology. Once a device is sold to a customer, the manufacturer must not retain ANY control of it. Otherwise something like this will occur again and again and again.

    “it should also be notable that this was not a failure of Wyze to protect information as a general rule”
    BOVINE EXCREMENT! That’s splitting hairs. It definitely was a failure to protect information on Wyze’s part. It was a Wyze employee who allowed this to happen. The best way to protect user data/information is not to ever have it in your possession. What Wyze does not have cannot be stolen from them.

    “Wyze also says height, weight, gender, bone density, bone mass, and daily protein intake information was also leaked”
    ?????? I can understand, although I do not condone, Wyze having users’ names, rank and serial numbers but height, weight, gender, bone density??? What possible rationale can Wyze use to justifying collecting such information??? How does that specific information relate to the functions of a security camera???!!! Unless, of course, Wyze is making money on the side by selling all that information.

    “Do you think Wyze is taking the actions it should to tackle this situation?”
    Definitely not! Scapegoating an employee is a dirty trick, as well as evading responsibility, moral and legal. The only way to “tackle” this situation is for Wyze to expunge ANY traces of user/customer data by nuking their data servers.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.