Employee error to blame for massive data leak, Wyze says
Loads of folks found brand-new Wyze surveillance cameras under their trees or in their stockings this Christmas. And on Boxing Day, the company itself unwrapped a whole new world of trouble for everyone who uses its products, confirming a data leak that may have exposed personal data for millions of users over the course of a few weeks.
Wyze first found out about the problem on the morning of December 26, company cofounder Dongsheng Song said in a corporate blog post. The company’s investigation confirmed that user data was “not properly secured” and was exposed from December 4 onward.
The database in question was basically a copy of the production database that Wyze created to work with, Song explained. Data points left exposed include user email addresses, camera nicknames, Wi-Fi network information, Wyze device information, some tokens associated with Alexa integrations, and “body metrics for a small number of product beta testers.”
The company blames an employee for the exposure. “A mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed,” Song wrote. “We are still looking into this event to figure out why and how this happened.”
A pair of essays from a mysterious (and possibly fake) firm called 12Security first brought the leak to light. The firm alleges that data for 2.4 million Wyze users was included in the leak, claiming that the data was sent to the Alibaba cloud and that the breach is tied to China.
Seattle-based Wyze, however, has extremely strong ties to Amazon and strongly denies the allegation that it uses the Alibaba Cloud. “Wyze does have official Wyze employees and manufacturing partners in China, but Wyze does not share user data with any government agencies in China or any other country,” the company said.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.