Wyze implemented a token refresh for all of its users after learning of a security incident that allegedly leaked user data.

FinConDX 2021

On December 26, Twelve Security reported that smart home camera provider Wyze had left its production servers open to the web. The security stated that the misconfiguration had exposed the sensitive information of 2.4 million users including their usernames, email addresses, height, weight, gender, bone density, bone mass, daily protein Intake, and other health information. It also said that the incident had exposed the email addresses of family members and other users who had shared access to a camera.

Twelve Security said that it had decided not to notify the company before publishing its article because of “clear indications that the data is being sent back to the Alibaba Cloud in China.” It also said that an earlier incident involving the camera provider had informed its decision.

IPVM, a reviewer and tester of video surveillance technology, wrote in its own blog post that it had spoken with Twelve Security, reviewed its findings and confirmed the incident.

A day after Twelve Security published its article, Wyze Co-Founder and Chief Product Officer Dongsheng Song said that the company had received a report of a data leak. He explained that the incident was limited to a flexible database on which teams had copied data from the company’s production servers. That information included customer emails as well as camera nicknames, body metrics and device information of approximately 140 beta testers along with some tokens for Alexa integrations.

Song went on to clarify that a Wyze employee had mistakenly removed the proper security protocols on that database on December 4, thereby leaving it exposed until December 26. He also noted that many of the details reported by Twelve Security were untrue. (Read more...)