Internet of Things (IoT) vendor Wyze announced a server leak that exposed the data of 2.4 million customers from Dec. 4 to Dec. 24. The leak was the result of an internal database — the Elasticsearch system — being unwittingly exposed online, Wyze Co-founder Dongsheng Song said in a forum post first published on Dec. 26 and updated on Sunday (Dec. 29). He noted that the Elasticsearch system speeds up queries, and though it was not a production database, it stored user data.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” he said in the post. “We copied some data from our main production servers, and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on Dec. 4 when they were using this database, and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
The leaky server was found by cybersecurity consulting firm Twelve Security, and subsequently revealed in a blog post. The information was then independently verified by reporters from the IPVM blog, which is focused on video surveillance products.
Song said that Twelve Security and IPVM gave Wyze just 14 minutes to fix the leak before going public with their findings. The articles published that the data leak exposed usernames, emails, camera models, API Tokens, Alexa Tokens and health information for some users. The company advised users to change their passwords and add two-factor identification in the app.
“We are working on an email notification to all affected customers, and plan to release it in the near future. To balance thoroughness and speed, we will be sending the information that we have on hand, and will provide further updates as we continue forward with our investigation,” the post said in its most recent update.
Massive data breaches are becoming more common as more information moves online and to databases. In November, Canadian cooperative Desjardins Group revealed that a data breach impacted all of its 4.2 million members. Meanwhile, just last week, a data breach at Wawa convenience stores triggered multiple lawsuits filed in Philadelphia seeking class-action status. The breach affected 850 locations along the east coast of the U.S.