In a shocking revelation by the IoT vendor Wyze, about 2.4 million user data has been exposed online over a period of 22 days.

Wyze, dealing in smart devices such as smart plugs, smart light bulbs, security cameras, and smart door locks, revealed on December 29, 2019, about a server leak that managed to infringe details of about 2.4 million users.

As per Dongsheng Song, the Co-founder of Wyze, the leak is said to happen post an internal database was accidentally exposed online.

Dongsheng Song said that the exposed database—an Elasticsearch system—was not a production system; however, the server was storing valid user data. The Elasticsearch server is a technology deployed to accelerate search queries and was installed to streamline and sort vast amounts of user data available with the enterprise.

Wyze exec tells more about the incident:

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4, 2019, when they were using this database, and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.

More on the server leak

The incident of the server leak was detected and documented by Twelve Security, a cybersecurity consulting firm, and the reports were then independently verified by the IPVM reporters.

On this, Mr. Song had some dissatisfaction to display as the 2 parties gave Wyze as little as 14 minutes to fix the issue before they made the findings public.

The aftereffect

Dongsheng Song confirmed that the leaked server managed to expose details such as email IDs that users used to create Wyze accounts. He further added that certain nicknames that users associated with Wyze security cameras, Wi-Fi networks, SSID identifiers, and for an additional 24,000 users, Alexa tokens to connect to Wyze devices, were exposed as well.

However, Wyze exec denies that the API tokens were exposed via the server. Secondly, they also declined to Twelve Security’s claim that mentioned Wyze sending user data back to an Alibaba cloud server in China.

Song even clarified that they only collected health data of about 140 users to beta-test a new smart scale product.

The Wyze exec added, “We have never collected bone density and daily protein intake. We wish our scale were that cool.”

At the moment, the trio involved in the revelation of the Wyze server leak incident differed with regard to the specifications. However, Wyze has now forcibly logged out all its users and has unsynced the very third-party integration that will now generate a fresh lot of Wyze API and Alexa tokens once users re-login and re-link their Alexa gadgets to Wyze accounts.