We talk often at IoT Tech Trends about the potential of important personal information being vulnerable because of smart home Internet of Things devices. Many times, it seems the device manufacturers aren’t very upfront about the lack of security and data breaches.
But Wyze is different. Regrettably, the company suffered a data leak that exposed the personal information of 2.4 million customers. However, they are owning up to it and taking quick action to mend the situation. It does nothing to change the leak, but it is a refreshing change.
Wyze Data Leak
Wyze, a manufacturer of security cameras, admitted on December 26 that it had been made aware of a “data Leak” that affected the personal information of nearly 2.5 million customers. This was caused by “a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” wrote Wyze co-founder and chief product officer Dongsheng Song in a company post.
He also explained exactly how this leak occurred. “We copied some data from our main production servers and put it into a more flexible database that is easier to query,” Dongsheng explained. “This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
Again, while this doesn’t do anything to change the fact that this private information was exposed, it should also be notable that this was not a failure of Wyze to protect information as a general rule. This was an employee who didn’t follow proper security protocols.
This leak includes user names and emails as well as the emails of family members and others who camera access was shared with, nicknames for the cameras, device and firmware Wi-Fi SSID, last login and logout, the tokens for access from iOS or Android devices, Alexa devices, and more.
In the quoted list, Wyze also says height, weight, gender, bone density, bone mass, and daily protein intake information was also leaked for a subset of users, yet it also says in the original post, “We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing.” This bit of confusion has not been cleared up.
How Your Information Will Be Handled in the Future
The company explains that this leak happened “to help manage extremely fast growth of Wyze.” This led them to take on this “internal project” to “find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query.”
To remedy the situation, it explained that “all Wyze user accounts were logged out and forced to log in again (as a precaution in case user tokens were compromised as alleged in the blog post). Users will also need to relink integrations with The Google Assistant, Alexa, and IFTTT.”
While it’s a bit of a pain to log back in again, doing so is important for protecting information in the future. Wyze is not forcing users to reset their passwords, as the passwords weren’t stolen. However, it’s certainly advisable to reset it anyway. It’s also recommended to rename other information that was leaked, including internal Wi-FI SSIDs and cameras. Taking these steps, as well as repositioning cameras, can help eliminate a further data leak.
Do you think Wyze is taking the actions it should to tackle this situation? Tell us your thoughts in a comment below.
Image Credit: Davidlamma via Wikimedia Commons) and public domain