Ultra Affordable DIY Security Camera Maker Wyze Suffers Data Breach

Wyze says employee error led to 2.4 million of their customers having information such as email addresses and WiFi networks exposed to the public.

SEATTLE — DIY surveillance cameras (and other smart home devices) have been in the news frequently the past few months due to cyber attacks. Just last week, Ring/Amazon was sued for weak cybersecurity provisions, and earlier this week Wyze notified customers that its cameras have been breached (notice below).

Wyze is known for its feature-packed smart home cameras that cost less than $30. The company has also expanded to offering a makeshift security system and most recently a smart lock.

On Monday, Dec 30, Wyze notified its 2.4 million customers that from Dec. 4 to Dec. 27, their camera information, WiFi network details, email addresses, tokens associated with Alexa integrations and “body metrics for a small number of product beta testers” were exposed.

Unlike the recent Ring hackings, this data breach is being attributed to employee error. Wyze said the data was exposed after an employee created a flexible database, which removed previous security protocols, to quickly pull user analytics, such as camera connectivity rates, user growth and the number of devices connected per user.

This data breach brings to light another serious cybersecurity issue that doesn’t receive as much attention as high-profile hackings: your own employees.

According to a recent survey, malicious insiders and employee error pose the greatest cybersecurity threats in the workplace. It is integral to make sure cyber precautions are in place and that employees are properly trained and educated about the dangers of cybersecurity lapses.

Research shows that most small businesses fail to act after a cyber attack. Many of these businesses are also unable to withstand the financial impact of a hack or breach compared to larger companies, such as Wyze or Ring. You can learn more about these stats, as well as best practices for securing a small business, here.

Below is the notice sent to Wyze customers about the data breach.

Wyze Users,

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out to you because we’ve made a mistake in violation of that trust. On December 26th, we discovered information in some of our non-production databases was mistakenly made public between December 4th – December 26th. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords, personal financial data, or video content.

The information did contain Wyze nicknames, user emails, profile photos, WiFi router names, a limited number of Alexa integration tokens, and other information detailed in the link below.

If you were a user with us before we secured this information on December 26th, we regretfully write this email as a notification that some of your information was included in these databases. If you are receiving this email and joined us after December 26th, we write this email because you use our products and deserve to know how your data is being handled.

Upon finding out about the public user data, we took immediate action to secure it by closing any databases in question, forcing all users to log in again to create new access tokens, and requiring users to reconnect Alexa, Google Assistant, and IFTTT integrations. You can read in more detail about the data leak and the actions we took at this link:

https://forums.wyzecam.com/t/updated-12-30-19-data-leak-12-26-2019

As an additional security measure, we recommend that you reset your Wyze account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. You may also add an additional level of security to your account by implementing two-factor authentication inside of the Wyze app. Finally, please be watchful for any phishing attempts. Especially watch any communications coming from Wyze and ensure they come from official @wyze.com and @wyzecam.com email addresses.

We are deeply sorry for this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Wyze employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

As we continue our investigation into what happened, we will post future updates to the forum link above. More details will follow and we appreciate your patience during this process. Please reach out with any questions or concerns to our customer support team by going to support.wyze.com.

About the Author

Contact:

Steven A. Karantzoulidis is the Web Editor for Security Sales & Integration. He graduated from the University of Massachusetts Amherst with a degree in Communication and has a background in Film, A/V and Social Media.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters