Data leak by IoT device maker Wyze exposes personal information of 2.4 million people

Smart home device company Wyze has confirmed that personal data gathered from millions of users was left exposed on the internet for weeks, including email addresses and health data. 

The breach was discovered by security consulting firm Twelve Security and confirmed by IPVM, both posting blogs about it on Dec. 26. According to Twelve Security, the compromised data gathered from 2.4 million people included users’ emails, nicknames given to cameras, Wi-Fi names, health data like weight and gender, and information on users’ Wyze devices. 

The report has since been confirmed by Wyze’s co-founder and chief product officer Dongsheng Song, who said in a Dec. 27 forum post that user data was left exposed from Dec. 4 to 26. According to Song, human error was to blame for the breach.

“We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created,” wrote Song. “However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”

It sounds pretty bad, but it could have been a lot worse. Song claims no passwords, financial information, or “government-regulated” personal information was exposed. Your home address should still be safe, even if your email address is not.

Further, though health information such as height, weight, gender, and bone mass was compromised, Song states that data only belonged to 140 beta testers using products still under development. Contrary to Twelve Security’s report, this didn’t include bone density and daily protein intake information.

Still, data leaks such as these are never good, no matter how many people are impacted. 

“We’ve always taken security very seriously, and we’re devastated that we let our users down like this,” wrote Song, vowing to revisit Wyze’s security protocols. Wyze also denied Twelve Security’s claim that data was being sent to the Alibaba Cloud in China.

Wyze is working on emailing everyone who was affected, but there isn’t much users can do except be vigilant. “A 3rd party may have your email address. Be aware of spam or a phishing attempt,” wrote Song. “We’ve logged you out of your Wyze account. You will need to log back in and relink your Alexa, Google Assistant, or IFTTT integrations if you use these services and haven’t done so yet.”

Wyze’s smart cameras, lightbulbs, and locks have been growing in popularity as cheaper alternatives to brands such as Nest. However, though it skipped the price tag of its competitors, it seems it couldn’t dodge the privacy concerns.

“For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward,” wrote Song.