Security camera manufacturer Wyze is the latest company to experience a data breach, exposing sensitive data of 2.4 million users.
According to Twelve Security, the cybersecurity firm that first discovered the leak, two production databases were left completely open to the internet. These databases contained email addresses of individuals who purchased cameras, emails for anyone who was given access, list of cameras in use and their nicknames, WiFi SSIDs and more.
Wyze eventually confirmed the breach, although disagreed with some details about the information that was exposed. Wyze also denies the databases were production databases, according to a post on the company’s forums.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” the post reads.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
The company did confirm many other details of the breach, however, stating: “It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.”
The company has taken measures to address the breach and restore security. However, as Twelve Security’s author Ghost says: “Personally, in my ten years of sysadmin and cloud engineering, I never encountered a breach of this magnitude.”
Breaches like this continue to be both shocking and unacceptable. As IoT devices become increasingly common in both corporate and personal use, security should be the number one concern—not an afterthought.