By Kevin Zhang
This week, security camera startup Wyze has confirmed that it suffered a data leak earlier this month. No passwords and financial information was exposed, but email addresses, WiFi network IDs, and body metrics were left vulnerable for around three weeks from Dec. 4 to Dec. 26 for more than 2 million customers.
When one employee transferred the data to a new database in order to make it easier to query, it was accidentally exposed due to failure to maintain security protocols.
Among the exposed data was the height, weight, and gender of around 140 Wyze beta testers. The company said that there was no evidence login tokens had been exposed but signed out all customers to generate new login tokens. An additional security action will also cause a reboot of all Wyze cameras in the coming week.
The data leak was discovered by cybersecurity firm Twelve Security, which published an article on December 26, 2019, stating that they had found an opening into the company’s Elasticsearch database which contained some very sensitive information. Security website IPVM originally informed Wyze of the data leak discovered by Twelve Security.
Wyze said it values security and privacy seriously and will investigate the causes and details of the data leak.
“This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication,” Wyze said.
Privacy for customers continues to be an issue in the age of the internet. This year, the addresses, names, and data of more than 80 million U.S. households have been leaked.