IoT Company- The Internet of Things vendor confirmed that customer data was left unsecured on an Elasticsearch database.
An exposed Elasticsearch database, owned by Internet of Things (IoT) company Wyze, was discovered leaking connected device information and emails of millions of customers.
Wyze makes smart home cameras and connected devices like connected bulbs and plugs, which can be integrated with smart home assistants like Amazon Alexa and Google Assistant. The database, which was exposed on Dec. 4 until it was secured on Dec. 26, contained customer emails along with camera nicknames, WiFi SSIDs (Service Set Identifiers; or the names of Wi-Fi networks), Wyze device information, and body metrics “for a small number of product beta testers” who were testing new hardware, according to Wyze.
Up to 2.4 million Wyze users were reportedly exposed. Wyze did not confirm that number other than to say “some Wyze user data” was impacted; Threatpost has reached out for further comment.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” Wyze said in a blog post over the weekend. “We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
Also exposed in the database were Alexa tokens for 24,000 users, which allows users to integrate their Alexa devices with their Wyze cameras. Wyze said that there is no evidence that API tokens for iOS and Android were exposed, but the company decided to refresh them as “a precautionary measure.”
“Yesterday evening, we forced all Wyze users to log back into their Wyze account to generate new tokens,” said Wyze. “We also unlinked all 3rd party integrations which caused users to relink integrations with Alexa, The Google Assistant, and IFTTT to regain functionality of these services. As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days.”
The database did not contain user passwords or government-regulated personal or financial information, according to Wyze.