Report alleges massive Wyze data breach, but many questions remain

Budget smart home company Wyze is the subject of a new security report alleging massive user data loss in what is described as a huge security breach. Wyze has acknowledged the report but has said that it hasn’t yet been able to confirm whether the claims are true. The company was only made aware of the report earlier today from a second party, which claims on its own website that it verified the leak by reviewing ‘the records.’

The initial security breach claim was published by ‘Twelve Security,’ a website that describes itself as a ’boutique consulting firm.’ The report claims that Wyze’s production databases ‘were left entirely open’ for anyone to access, exposing data from 2.4 million users. The report claims the exposed data includes email addresses, lists of cameras with their nicknames, WiFi SSID, API tokens, Alexa tokens, and more.

Oddly enough, the report also claims the leaked databases included various ‘health information’ on some users, including things like height, weight, bone mass, and more. The author of the blog post apparently did not reach out to Wyze before publishing this information to the public, stating in the post that ‘the database is currently live and open. Anyone can access it.’

The report doesn’t include any screenshots of these alleged leaks nor any details about how they were discovered, providing very little to go on. However, soon after Twelve Security published its report, another security company called IPVM published its own blog post claiming that it confirmed the breach after speaking with Twelve Security and reviewing the records.

The IPVM post does contain a single screenshot showing Wyze log events and select other data. Twelve Security has alluded to this as potentially being an act of espionage, claiming that the exposed users are located in countries outside of China. Beyond that, Twelve Security alleges that ‘there are clear indications that the data is being sent back to the Alibaba Cloud in China.’

In a post on its forums this evening, Wyze said that it only learned about the report at 10AM PT / 1PM ET, at which point it ‘mobilized the appropriate developers and executives.’ The company was unable to verify the breach, but says that it ‘added another level of protection to our system databases.’ All users were logged out of their accounts and forced to log back in.

Wyze says its users will need to relink any integrations they have with IFTTT, Alexa, and Google Assistant due to these precautionary measures. The company is also experiencing a massive load on its two-factor authentication server, which means that some users may have issues with logging in for a while.

The company further states that it has attempted to contact Twelve Security, but that the number it has available to it states that it doesn’t accept inbound calls; an email has been sent to Twelve Security, as well, but Wyze says it hasn’t heard back yet. As well, the company notes that it doesn’t use Alibaba Cloud, claiming this allegation is ‘false.’