Popular smart home company Wyze has been accidentally leaking personal information from millions of users through its connected devices. An Elasticsearch database owned by the company was leaking the information, which included email addresses.
Wyze is an Internet of Things (IoT) company that specializes in cameras and other connected devices for smart homes. Like other IoT devices, the hardware connects with other technology, including assistants such as Amazon Alexa.
The offending Elasticsearch database was exposed between December 4 and 26. Information hosted on the database included email address from millions of Wyze customers. Device information such as WiFI SSIDs, camera nicknames, and general manufacturer details was also stored.
In a blog reporting the exposed database it was confirmed 2.4 million users were affected. Wyze has not confirmed that number, but did admit the database was vulnerable.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” Wyze said in a blog post.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
Alexa tokens from 24,000 users were also exposed. These allow IoT users to connect Alexa with their devices.
“Yesterday evening, we forced all Wyze users to log back into their Wyze account to generate new tokens,” said Wyze. “We also unlinked all 3rd party integrations which caused users to relink integrations with Alexa, The Google Assistant, and IFTTT to regain functionality of these services. As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days.”
Vulnerable Azure-Powered Database
A month ago, a Azure-Powered TrueDialog Database was found to be vulnerable and exposing millions of people.
The database was discovered by Noam Rotem and Ran Locar from the research team of vpnMentor. TrueDialog is a U.S.-based telecommunications company that allows organizations to access bulk SMS services.
This means most of the messages on the unprotected database were enterprise focused. In a blog post, the researchers say the database had ties to several areas of TrueDialog's wider business. With this link, unauthorized access would allow a diverse dataset to be vulnerable.