Update 12-28-19: Wyze has confirmed that version of its customer database was, in fact, open for access from December 4 to December 26. This was a copy of portions the production database, including customer emails, camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. Wyze confirmed that the copied database had the previous security protocols removed, and Wyze is investigating how this happened during the copy.
What you need to know
- Wyze's database was allegedly publicly exposed to the Internet, a breach reported by a security blog.
- Wyze has yet to confirm the breach but has signed out all users as a security measure.
- The breach was not reported in a responsible manner and leaves several questions surrounding its validity.
Wyze, the maker of affordable home security products, has allegedly suffered a data breach in which 2.4 million customer database records have been publicly exposed to the Internet. Twelve Security ran an article on December 26, 2019, stating that they found an open path to the company's Elasticsearch database which contained some extremely sensitive information including exact home network details, locations of the cameras in the home, and even personal information on users.
In response to the post, Wyze issued a force sign-out of all users connected to its system and doubled down on its database security within 6 hours of being notified of Twelve Security's post earlier in the day. Wyze states that it was unable to replicate the steps necessary to access its database publicly and has yet to verify that any information was leaked at all. Security website IPVM originally notified Wyze of Twelve Security's post via support ticket and shows evidence that they have confirmed the exploit, citing several screenshots as evidence.
As it stands, Wyze Camera users will need to log back into their accounts and generate new 2-factor authentication (2FA) codes. Any Wyze cameras that have been linked to Alexa, Google Assistant, or IFTTT will need to be re-linked in order to create a new security token. Users are also encouraged to change their account passwords. Wyze also suffered heavy traffic load over the past twelve hours since the database changes were made and had issues with their 2FA servers, but have since ironed those out. Users that had trouble logging into their accounts should no longer have problems, according to the company.
Twelve Security doesn't appear to have responsibly disclosed this breach by reporting it to the offending party first (in this case, Wyze). This has made it difficult to identify how large the breach was before being disclosed and what might have actually been accessed. Wyze is in the middle of an investigation into the breach and has stated that it will report back once it has more information.
We may earn a commission for purchases using our links. Learn more.
Technostalgia: A series about the Golden Age of mobile tech
Join us for a look back at the best (and worst) of Android and Google over the years in our series Technostalgia.
These are the best Android phones you can buy right now
There are so many great Android phones to buy, so it can be tough to know which one to buy. These are the best of the best at each price point.
Microsoft doesn't need to justify the existence of the Surface Duo
Some people, including our Andrew Martonik, think Microsoft shouldn't get the benefit of the doubt with the Surface Duo. This guest editorial from SomeGadgetGuy's Juan Carlos Bagnell disagrees.
Keep your products safe and take make your home even smarter with these
While it's important to have a surge protector for your more valuable electronics, "normal" surge protectors are boring. We have found some of the best surge protectors that are equipped with "smarts" like being controlled by Amazon Alexa or Google Assistant.