The year 2019 ended with yet another data leak that exposed data of more than 2.4 million users. One of the servers of Wyze was unsecured that led to this unfortunate incident. The server remained unsecured for three weeks, which is shocking as Wyze is one of the most trusted smart security camera manufacturers.
This news first came into light when Twelve Security, a cybersecurity firm published an article on December 26 of this year. The published piece clearly mentioned that 2.4 million customers of Wyze have had their security compromised because of the server. This was later admitted by the company itself.
Dongsheng Song, co-founder of Wyze announced in a forum post regarding the leak that the server was a flexible database and not a production server.
The only reason for creating the server was to enable customers to get their data queried in a much faster manner. Because of human error, the security protocols of the server were removed by an employee on 4 December. The server remained unguarded till December 26.
According to Song,
“We’ve often heard people say, ‘You pay for what you get,’ assuming Wyze products are less secure because they are less expensive. This is not true,” the co-founder wrote. “We’ve always taken security very seriously, and we’re devastated that we let our users down like this.”
What has been compromised?
The blog post shared by Twelve Security mentioned that the server included information such as:
- Usernames of customers
- Email addresses
- Device models
- API token for iOS/Android devices
- WiFi SSID details
- Camera nicknames
- Alexa tokens (of customers who had connected their Alexa with Wyze’s camera)
- Health information like; weight, height etc.
The blog article also mentions that it was evident the data from the server was being sent to Alibaba Cloud, located in China but Song completely discarded this. Song said that Wyze does not use Alibaba Cloud and that they do not share data or information of their users with any government agencies.
As result of this discrepancy, Wyze is now conducting internal audits of its databases and servers to find any other issues with security. Another database has turned out to be unsecure, according to Song.
What should the customers do now?
Wyze users should remain beware of any phishing attacks, according to Song. As their usernames and email addresses have been compromised, hackers might try to get into their systems. All of the users have been logged out of their accounts by Wyze.
Moreover, third-party integrations have been closed for now so that security loopholes can be avoided.
In 2019, we witnessed a grandiose amount of data breaches and hacks that affected millions of users worldwide, sometimes even without them knowing. From Google to Apple and to Amazon, even the biggest names in the tech industry could not ensure bulletproof security and privacy to their users.
While the breaches happened because of internal factors like employees listening on to conversations of users (in the case of Alexa) or external factors like not having an airtight security system – people were affected.
As the year has ended and we have entered in 2020, it is anticipated that privacy will become the primary concern of tech giants and digital service providers.