Wyze Camera, Customer Database Leaked

A "smart" security camera maker has suffered a significant data breach. No video footage was leaked, but email addresses and details of some home gadgets were exposed.

Manufacture Wyze hasn't revealed full details of how the breach happened, but denied that the leak was due to using cloud computing in China.

According to Wyze, the exposed data covered 2.4 million customers and included "customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations." (Source: wyzecam.com)

"Tokens" refer to code that gives Alexa devices (used to remotely voice control cameras) permission to access a user's account. Wyze hasn't gone into detail on what it means by "body metrics," but denies reports that bone density and protein intake were involved. Around 140 people had provided some body metrics as part of a beta test of non-camera devices Wyze is developing.

Employee Screwed Up

Wyze says human error was to blame.

It says it wasn't the main working database that was exposed. Instead, the company was running a test project to better measure issues such as connection failures. This involved making a copy of some of the data from its main database, which was set to be secure. An employee working on the project mistakenly removed this security, exposing the data.

Responding to the breach, Wyze went for a belts-and-braces approach. It's requiring all users to reset their password, has logged out all third-party devices and apps that accessed cameras and accounts, and will be rebooting all cameras remotely to apply extra security measures.

Phishing Risk Rises

One independent but unverified source claimed the data was exposed on Alibaba Cloud, a Chinese based service for online data processing. Wyze says this is not the case and stresses that it doesn't share data with government agencies in any country. (Source: arstechnica.com)

As usual in such situations, the most important risk for users right now is phishing scams. It's possible people accessing the leaked data could use it to send emails pretending to be from Wyze and asking users to provide their password.

What's Your Opinion?

Does Wyze's account sound plausible to you? Does it matter that the breach didn't involve camera data and footage, or is it a concern that a "smart" gadget manufacturer suffers any form of breach? How do security concerns affect your interest in high-tech gadgets?