Wyze Labs Exposes 2.4 Million Camera Users via Unprotected Database

• Wyze exposed 40 million records and 2.4 million users via an unprotected Elasticsearch database.
• The customers will now have to reconnect their devices to 3rd party services as all tokens have been reset.
• The database also included email addresses, so there’s a risk of spam and phishing attempts.

Wyze Labs is the latest entity to blunder and expose 2.4 million of its customers via an unprotected database. The US-based company specializes in inexpensive smart home devices like wireless cameras, motion sensors, voice-controlled lights, smart plugs, and smart door locks. This means that exposure affects a particularly sensitive aspect of people’s lives. The security research firm who discovered the unprotected Elasticsearch database, Twelve Security, believes that the number of individual records that have been exposed in this incident surpasses the figure of 40 million, which corresponds to 2.4 million users.

Wyze was notified by IPVM who got the tip from Twelve Security and secured the database on December 26. Apparently, the database was left open to access by anyone since December 4, when an employee of Wyze disabled a security feature and forgot to re-enable it. The type of data that was exposed as a result of this misconfiguration includes the following:

• Customer email addresses
• Wi-Fi network names, SSID, and internal subnet layout
• User nicknames
• Device model numbers
• Device firmware version
• 24000 Alexa integration tokens
• iOS and Android API tokens
• Biometric data of a small subset of users (140)

As Wyze claims now, the exposed data doesn’t include any financial details or user passwords, so even if this information was accessed by malicious actors it wouldn’t have much value. The firm reset the exposed tokens, so if your Wyze device was connected to Alexa or Google Assistant it will have to be reconfigured again. Still, though, the email addresses of people were exposed, opening the door to phishing attempts and spam messaging. That said, beware of any unsolicited messages that arrive on your inbox, making bold claims or requesting more info from you.

Wyze is currently investigating the incident, so they haven’t determined the exact scale and effects of the mistake yet. As a spokesperson of the company stated in the official forums, Wyze may target the entry-level market but that doesn’t mean that they are making discounts on security. He talks about the team’s devastation about what happened and promises that they will revisit all security practices and bump up priority for user-protection features. No matter the promises through, what already happened cannot be retracted, so the exposed customers will now have to be extra careful and assume the worst.

Do you trust Wyze products or do you prefer not to use smart home devices at all? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.