Update: Wyze has since confirmed the breach and says it has uncovered an additional database that was also "left unprotected." The company says of the initial vulnerability that some users' data was left exposed from Dec. 4 to Dec. 26. The second was identified on Dec. 27, thanks to a Wyze community member. In both cases, Wyze says passwords and personal financial information was not exposed.
The database at the center of last week's report, though, "did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations." Wyze also says several points from Twelve Security's original report are "not true," and insists it does not send data to Alibaba Cloud.
"For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward," Wyze says. "We’ll continue to update you as we make progress." The original article follows.
Millions at risk — Wyze, the most affordable smart security manufacturer whose products actually work, might be facing a serious data breach. “Boutique consulting firm” Twelve Security published a blog post on Thursday alleging that 2.4 million users and 24,000 Alexa tokens are at risk. IPVM claims to have seen proof of the breach and reported confirmation on their website as well as to Wyze.
Wyze responded by logging users out of their accounts which should force them to use/setup new two-factor authentication codes. Unfortunately, the volume of customers rushing to protect their accounts is a bit more than the company can handle. The alleged Wyze breach is the latest in smart security camera vulnerabilities.
Something’s not right — Twelve Security lambasted Wyze for poor response time, but they irresponsibly never informed the company of the breach. Their blog post seems more concerned with allegations of Chinese espionage than protecting people’s vulnerable data. IPVM shared the problem with Wyze via support ticket and also included some screenshots in their report.
“Twelve Security asked IPVM for input on Wyze’s market positioning since we report and test on video surveillance products such as Wyze,” says John Honovich from IPVM. “The records shared supported that there was a massive data breach will tens of millions of records,” but he admitted they haven’t combed through all them. Honovich also notes that since they haven’t seen every single record, they can’t support Twelve Security’s claim that this data is funneled to Chinese servers.
What Wyze customers should know — Upon finally learning of the issue, Wyze quickly logged its users out. They must now log back in using 2FA, but some users experienced an “InvalidPhoneNumber” error due to an overloaded system. This error is believed to be resolved as of 9:00 p.m. PT on Thursday.
Wyze maintains that they do not use Alibaba’s cloud servers, as Twelve Security claims, and they haven’t been able to confirm the firm’s findings on their end. After three hours of failing to internally confirm the breach, Wyze pushed a token refresh and added a layer of security. Users who successfully log back in with 2FA will need to relink their Alexa, IFTTT, and Google Smart Assistant integrations.
We have confirmed Wyze’s assertion that Twelve Security’s public contact number doesn’t accept incoming calls. Through email, we've learned of a pending follow-up post that will feature screenshots of the Wyze vulnerability and evidence of its connection to Alibaba servers.