A company that sells smart devices like security cameras, door locks, smart plugs and lightbulbs has confirmed a data breach exposing data for roughly 2.4 million customers.
The company's cofounder confirmed the leak in a blog post on Friday, Dec. 27. Twelve Security was the first to report the leak. Song says the leak occurred after an internal database was accidentally exposed online on Dec. 4 when a mistake resulted in security protocols being removed. The database was exposed from Dec. 4 to Dec 26. "We are still looking into this event to figure out why and how this happened," he said.
According to Twelve Security, data exposed included:
- User name and email of those who purchased cameras and then connected them to their home
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app
- API Token for access to user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Song followed up on Sunday. Dec. 29 revealing a second database had been left unprotected. He said all of the databases have been "locked down" and none of the affected databases had any passwords or financial information.
“We’ve always taken security very seriously, and we’re devastated that we let our users down like this,” Song said in the blog post. “We are working on an email notification to all affected customers and plan to release it in the near future.”
