Today, an IoT company named Wyze announced and confirmed a server leak led by an accidentally exposed internal database. This leak impacts on approximately 2.4 million customers. This company has products such as security cameras, smart plugs, smart lightbulbs, and smart door locks.
According to Wyze’s statement, the exposed database is an Elasticsearch system but not a production system. Therefore, the server was storing valid user data and powering super-fast search queries. It can help the company sort through the vast amount of user data. Details such as email address linked to customers’ Wyze accounts, nicknames of customers’ security cameras, SSID identifiers of customers’ Wi-Fi network, and the Alexa tokens connected to Wyze devices are exposed in this leak.
However, Wyze clarified some claims made by other security companies:
● Wyze API tokens were NOT exposed via the server.
● User data was NOT sent back to an Alibaba Cloud server in China.
● Wyze was NOT collecting health information as they only collected health data from 140 users who were beta-testing a new smart scale product.
Here is a part of the statement made by Wyze:
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.
We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”