In response to the alleged data breach against its production database, Wyze logged outfits users out of their accounts and has strengthened security for its servers.
“Customers endured a lengthy reauthentication process as the company responded to a series of reports claiming that the company stored sensitive information about people’s security cameras, local networks, and email addresses in exposed databases.”, stated Android Police.
Texas-based Twelve Security, a self-described “boutique” consulting firm, claimed of a data breach against Wyze’s two Elasticsearch databases on Medium yesterday. The data has come from 2.4 million users from the United States, United Kingdom, the United Arab Emirates, Egypt, and parts of Malaysia.
The data included, email addresses, firmware versions, and names of every camera device in a household, time of devices’ last activation, times of users’ last login and logout, account login tokens for users’ Android and iOS devices, camera access tokens for users’ Alexa devices, Wi-Fi SSID, and internal subnet layout. Some users who also gave out more information, their info was also tracked, their height, weight, gender, bone health, and protein intake were also exposed.
Twelve Security also posted that Wyze was clearly dealing with and trafficking data through Alibaba Cloud servers in China. Video surveillance news blog IPVM along with Twelve Security could spot devices and accounts linked to their staff those reviewed Wyze products. They chose not to inform Wyze about this breach before going public because of the negligence of the company and probable link to Alibaba and previous security blunders.
Wyze in response to these allegations logged out the users from their accounts but posted in their community forum that it failed to verify a breach. Wyze also denied any relation with Alibaba.
But later it posted that the breach was caused by an employee and was a “mistake” and the affected customers can expect an email from the company and as a caution,n the company logged out all users and they’ll have to log in again with two-factor authentication.