IoT vendor Wyze confirms server leak

Image: Wyze, ZDNet

Wyze, a company that sells smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks, confirmed today a server leak that exposed the details of roughly 2.4 million customers.

The leak occurred after an internal database was accidentally exposed online, Wyze co-founder Dongsheng Song said in a forum post published over Christmas.

Song said the exposed database — an Elasticsearch system — was not a production system; however, the server was storing valid user data. The Elasticsearch server, a technology for powering super-fast search queries, was set up to help the company sort through the vast amount of user data. The Wyze exec explains:

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.

The leaky server was discovered and documented by cyber-security consulting firm Twelve Security and independently verified by reporters from IPVM, a blog dedicated to video surveillance products.

Song showed his dissatisfaction with how the two parties, Twelve Security and IPVM, handled the data leak disclosure, giving Wyze only 14 minutes to fix the leak before going public with their findings.

“We were first contacted through a support ticket at 9:21 a.m. on December 26 by a reporter at The article was published almost immediately after (Published to Twitter at 9:35 a.m.). It was published in conjunction with a blog post from a private security company also published on December 26th. We were made aware of this article at ~10:00 a.m. from a community member who had read the article.”

Song confirmed that the leaky server exposed details such as the email addresses customers used to create Wyze accounts, nicknames users assigned to their Wyze security cameras, WiFi network SSID identifiers, and, for 24,000 users, Alexa tokens to connect Wyze devices to Alexa devices.

The Wyze exec denied that Wyze API tokens were exposed via the server. In its blog post, Twelve Security claimed they found API tokens that they say would have allowed hackers to access Wyze accounts from any iOS or Android device.

Second, Song also denied Twelve Security’s claims they were sending user data back to an Alibaba Cloud server in China.

Third, Song also clarified Twelve Security claims that Wyze was collecting health information. The Wyze exec said they only collected health data from 140 users who were beta-testing a new smart scale product.

Song didn’t deny Wyze collected height, weight, and gender information. He did, however, deny others.

“We have never collected bone density and daily protein intake,” the Wyze exec said. “We wish our scale was that cool.”

For now, the three parties involved in the disclosure of this leak appear to be at odds in regards to the specifics of this particular leak. Either way, Wyze said it decided to forcibly log out all Wyze users out of their accounts and unliked all third-party app integrations — two steps that will generate new Wyze API tokens and Alexa tokens once users re-log in and re-link Alexa devices to Wyze accounts.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Cryptosoft Trading Bot Review
June 27, 2022
The Largest Crypto Scams Of 2022 (So Far)
The Largest Crypto Scams Of 2022 (So Far)
June 14, 2022
How Do Scammers Entice Their Prey?
May 10, 2022
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Is The Crypto Market Combating A Lehman Brothers Moment?
Is The Crypto Market Combating A Lehman Brothers Moment?
June 30, 2022
Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin19,266 0.25 % 0.23 % 10.50 %
Ethereum1,077.6 0.96 % 2.90 % 13.40 %
Tether1.001 0.04 % 0.01 % 0.03 %
USD Coin1.003 0.04 % 0.16 % 0.01 %
BNB219.11 0.18 % 1.27 % 8.67 %
Binance USD1.010 0.67 % 0.80 % 0.75 %
Cardano0.4542 0.05 % 1.02 % 8.84 %
XRP0.3161 0.14 % 0.92 % 13.94 %
Solana33.36 0.30 % 2.71 % 21.29 %
Dogecoin0.06701 0.60 % 0.69 % 2.27 %

Bitcoin (BTC) $ 19,280.43
Ethereum (ETH) $ 1,066.92
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 219.38
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.454451
XRP (XRP) $ 0.315862
Solana (SOL) $ 33.29
Dogecoin (DOGE) $ 0.066616