An exposed Elasticsearch database, owned by Internet of Things (IoT) company Wyze, was discovered leaking connected device information and emails of millions of customers.
Wyze makes smart home cameras and connected devices like connected bulbs and plugs, which can be integrated with smart home assistants like Amazon Alexa and Google Assistant. The database, which was exposed on Dec. 4 until it was secured on Dec. 26, contained customer emails along with camera nicknames, WiFi SSIDs (Service Set Identifiers; or the names of Wi-Fi networks), Wyze device information, and body metrics “for a small number of product beta testers” who were testing new hardware, according to Wyze.
Up to 2.4 million Wyze users were reportedly exposed. Wyze did not confirm that number other than to say “some Wyze user data” was impacted; Threatpost has reached out for further comment.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” Wyze said in a blog post over the weekend. “We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
Also exposed in the database were Alexa tokens for 24,000 users, which allows users to integrate their Alexa devices with their Wyze cameras. Wyze said that there is no evidence that API tokens for iOS and Android were exposed, but the company decided to refresh them as “a precautionary measure.”
“Yesterday evening, we forced all Wyze users to log back into their Wyze account to generate new tokens,” said Wyze. “We also unlinked all 3rd party integrations which caused users to relink integrations with Alexa, The Google Assistant, and IFTTT to regain functionality of these services. As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days.”
The database did not contain user passwords or government-regulated personal or financial information, according to Wyze.
However, security experts like Troy Hunt, founder of HaveIBeenPwned.com, say the data leak is “serious.”
This one impacting @WyzeCam looks pretty serious. Original public disclosure (which looks like it may have been made prematurely) is here: https://t.co/2WKp7siSSi https://t.co/cnfixxFuTP
— Troy Hunt (@troyhunt) December 27, 2019
Wyze said that they were first contacted about the data leak via a support ticket on Dec. 26 by a reporter at IPVM.com, a news website that “provides reviews, testing and software for selecting and using video surveillance products.”
IPVM posted an article detailing the exposed data “almost immediately after” informing Wyze of the leak. The article was based on a post by Texas-based consulting firm Twelve Security, also published Dec. 26, which detailed the leak.
Wyze stressed that several statements outlined in these articles are not true, including reports that Wyze sends data to Alibaba Cloud, collects information about bone density and daily protein intake, and that the company had a similar breach six months ago.
Moving forward, Wyze said on Sunday that it is sending email notifications to all affected customers and “will provide further updates as we continue forward with our investigation.”
“Again, we are deeply sorry for this situation,” said Wyze. “Thank you for your patience as we work through this process. We have been reading through everyone’s comments and are continuing to work together on methods to improve our security and ensure that similar occurrences never happen again.”