Smart home devices maker Wyze Labs recently left a large database exposed to unauthorised access that contained usernames and email addresses of up to 2.4 million users, API tokens needed to log in to user accounts, Alexa tokens of 24,000 users, and detailed health information of a subset of users.
The exposed ElasticSearch database owned by Wyze Labs was discovered by researchers at Twelve Security who observed that it contained details of smart home cameras such as nicknames, device models, and firmware that were installed in users' homes, as well as API tokens that allowed anyone to access user accounts from any iOS or Android device.
The database was also found containing detailed health information such as height, weight, gender, bone density, bone mass, and daily protein intake belonging to a set of users. Incidentally, millions of users whose personal and device information were stored in the database were located outside of China.
In an update posted to its official user forum, Wyze Labs admitted to the breach, stating that two of its databases were left exposed to unauthorised access due to an error committed by an employee.
The firm said that while account passwords, video files, or financial information of its customers were not stored in the database, it confirmed that information leaked through the exposed database included "Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens." The leaked information belonged to all customers who created an account with the company prior to 26th December 2019.
"On December 26th at around 10:00 AM, we received a report of a data leak. We immediately restricted database access and began an investigation. Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th," the company said.
"To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query.
"This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.
"While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations," it added.
An error by a Wyze employee resulted in the leak of health information, usernames, & access tokens
The company said that the allegations of Twelve Security that it transferred user data to Alibaba cloud is false even though it does have official Wyze employees and manufacturing partners in China. It also said that there is no evidence of anyone using the leaked access tokens to access any user account after 4th December when the database was left open to public access.
The company also provided details of what information was left exposed as a result of an employee error on the 4th of December:
- User name and email of those who purchased cameras and then connected them to their home
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app
API Token for access to user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
After the company confirmed the massive data leak on the 26th, Wyze refreshed access tokens for all users to prevent unauthorised logins, added another level of protection to its databases, compulsorily logged out all customer accounts, notified all users about the breach and advised them to change their passwords and implement two-factor authentication in the Wyze app.
The company also refuted allegations that it did not focus much on cyber security of its smart home devices since it offered such devices at very low rates and that people did not expect these devices to be completely secure, to begin with.
"We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true. We’ve always taken security very seriously, and we’re devastated that we let our users down like this.
"This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication. For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward. We’ll continue to update you as we make progress," it added.