Wyze co-founder Dongsheng Song has confirmed in a forum post published over Christmas that a recent server leak exposed the details of nearly 2.4 million customers for 22 days. According to ZDNet, the leak occurred after an internal database that was storing valid user data was accidentally exposed online.
Wyze, known for its smart home devices including security cameras, smart plugs, smart lightbulbs, and smart door locks, has revealed that the leaky server exposed details such as email addresses used to create Wyze accounts, nicknames users assigned to their Wyze security cameras, WiFi network SSID identifiers, as well as Alexa tokens for approximately 24,000 users.
As per my records, Wyze had huge Elasticsearch cluster publicly exposed. It included 1,807,201,457 records: log data, API requests and events. https://t.co/RtxDLiqPtC
— Bob Diachenko (@MayhemDayOne)
The leak was discovered and reported by cyber-security consulting firm Twelve Security and separately verified by reporters from security blog IPVM:
“We were first contacted through a support ticket at 9:21 a.m. on December 26 by a reporter at IPVM.com. The article was published almost immediately after (Published to Twitter at 9:35 a.m.). It was published in conjunction with a blog post from a private security company also published on December 26th. We were made aware of this article at ~10:00 a.m. from a community member who had read the article.”
The Wyze exec, however, denied that Wyze API tokens were exposed via the server, as claimed by Twelve Security, while also denying reports that they were sending user data back to an Alibaba Cloud server in China.
