Ian Randall | The Daily Mail | Source URL
A data leak by smart home device manufacturer Wyze left the personal details of 2.4 million users exposed on the internet for more than three weeks.
Among the compromised information was user email addresses, WiFi network names, smart device details and the health statistics of a limited number of users.
Founded by former Amazon employees, the Seattle, Washington-based firm specialises in inexpensive smart cameras, light bulbs, plugs and security devices.
Wyze has now secured the database and forced users to reset their account passwords, as well as their connections with other services like Amazon's Alexa or Google assistant.
According to experts from Twelve Security, the exposed database contained information on around 2.4 million Wyze users — around a quarter of which were based in the US, with the rest scatted across the UK, Egypt, the UAE and Malaysia.
Data compromised in the leak included usernames and associated emails, Alexa tokens for users who had connected their devices to Amazon's virtual assistant, as well as information on specific Wyze devices and their wireless network names.
Furthermore, health stats — including height, gender and weight — were also exposed for 140 users who had been beta-testing Wyze's upcoming smart scale product.
We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,' Wyze co-founder and chief product officer Dongsheng Song wrote in a forum post on December 27, 2019.
'We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created,' Mr Song wrote.
'However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.
'We are still looking into this event to figure out why and how this happened.'
According to Wyze, the compromised information did not include any passwords, nor personal financial data, physical addresses or 'government-regulated' personal information.
Mr Song denied Twelve Security's report that the compromised information included the bone density and daily protein intakes of the smart scale testers — and the claim that Wyze was sending user data to the Alibaba Cloud in China.
He also refuted the allegation that the firm had experienced a similar data breach earlier this year.
'We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true,' Mr Song added.
'We’ve always taken security very seriously, and we’re devastated that we let our users down like this.'
'This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.'
'We are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward.'