Wyze Labs, a maker of smart cameras and other smart home devices, has confirmed that data belonging to millions of customers has been exposed. Here's what happened and how it affects you.

What happened?

An unsecured server exposed Wyze customers' personal information for over three weeks. Cybersecurity firm Twelve Security discovered the leak and published its findings on 26 December. Wyze co-founder Dongsheng Song then confirmed the leak in a forum post on 27 December.

He described the server as a “flexible database” and said an "employee error" caused its security protocols to be removed on 4 December. As a result, customer data in the database was left open to the public for three weeks - or until 26 December, when Wyze was notified of the issue.

It's worth noting Twelve Security said there are “clear indications” that customers' data was being sent to the Alibaba Cloud in China, although Song has debated this point, claiming Wyze doesn't use Alibaba Cloud, and it doesn't share user data with any government agencies.

How to tell if you are affected

The data of around 2.4 million Wyze customers has been compromised, according to Twelve Security. There is no tool you can use to see if your personal information was on the exposed server or unprotected database, but Wyze said it plans to send an email to all affected customers.

What sort of information was exposed?

Wyze's exposed server included the following types of personal information belonging to customers, according to Twelve Security:

  • Usernames
  • Email addresses
  • Camera nicknames
  • Device models
  • Firmware information and Wi-Fi SSID details
  • API tokens for iOS and Android
  • Alexa tokens from users who connected Amazon’s voice assistant with their cameras.
  • Health information (like height, weight, bone density, and daily protein intake).

Wyze said its database on the exposed server did not include user passwords. But it did confirm personal health information was on the server due to a beta test of a new smart scale.

What is Wyze doing now?

Wyze has been conducting an audit of all its servers and databases, and it's already found another unprotected database. According to Song, Wyze is beginning to review “all aspects” of its security guidelines now that multiple databases have been found exposed. It also logged all users out of their accounts and unlinked third-party integrations due to the compromised API and Alexa tokens.

“We’ve often heard people say, ‘You pay for what you get,’ assuming Wyze products are less secure because they are less expensive. This is not true,” Song added. “We’ve always taken security very seriously, and we’re devastated that we let our users down like this.”

Is there anything you should do?

If you were affected by this Wyze data breach, you are now more susceptible to being targeted online by malicious actors.

Short of deleting your Wyze account and ditching Wyze products, be extra mindful about phishing attacks now that your email and username have been exposed. Many hackers use these types of leaked databases to quickly get ahold of a mass pool of potential victims and to improve their phishing attempts. So, be careful when it comes to any spam email, unsolicited requests, random invites to click on links, etc.