Wyze, a company that sells smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks has confirmed about a server leak that exposed the details of about 2.4 million customers.
Dongsheng Song, co-founder of Wyze, published a forum post stating that the leak happened when an internal database was accidentally exposed online.
The exposed database — an Elasticsearch system — was not a production system, but the server was storing valid user data. The Elasticsearch server which is a technology for powering super-fast search queries, was set up to help the company sort through the large amount of user data.
The Wyze exec explains that in order to manage the extremely fast growth of Wyze, they have recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.
They copied some data from their main production servers and put it into a more flexible database which is easier to query. When it was originally created the new data table was protected, but due to a mistake made by a Wyze employee on December 4th while they were using this database, the previous security protocols for this data were removed.
The cyber-security consulting firm Twelve Security found and documented the leaky server and was independently verified by reporters from IPVM which is a blog dedicated to video surveillance products.
Song however was not satisfied with how the two parties, Twelve Security and IPVM, handled the data leak disclosure, as the company was given only 14 minutes to fix the leak before going public with their findings.
Song confirmed that the leaky server exposed details such as the email addresses customers used to create Wyze accounts, nicknames users assigned to their Wyze security cameras, WiFi network SSID identifiers, and for 24,000 users, Alexa tokens to connect Wyze devices to Alexa devices.
The Wyze exec denied that Wyze API tokens were exposed via the server. Twelve Security claimed they found API tokens which would have allowed hackers to access Wyze accounts from any iOS or Android device.
Song also denied Twelve Security’s claims they were sending user data back to an Alibaba Cloud server in China. He also clarified that Twelve Security claims that Wyze was collecting health information. The Wyze exec said they only collected health data from 140 users who were beta-testing a new smart scale product.
However, Song did not deny that Wyze collected height, weight, and gender information.
As of now, the three parties involved in the disclosure of this leak appear to be at odds about the details the leak.
Wyze stated that they have decided to forcibly log out all Wyze users out of their accounts and unliked all third-party app integrations.