So I get a notification on my Apple phone that there has been a security breach at WYZE and that my userID and password for my external router has been compromised and needs to be changed !!!
It is really curious to me why a company trying to be a leader in home security wouldn’t take it upon itself to notify customers. As a result, I am disconnecting my Wyze equipment as quickly as I can get replacements and will no longer use Wyze products. This is what happens when a company overreaches its core competencies only so much more than profits are potentially at stake here.
Obviously - no need for a reply, but I encourage you to explain why and how this could happen in the forum so maybe existing customers can feel better about their products and connecting their homes to your servers in the belief it will never happen to them.
What kind of notification was it, was it an email or a push notification. it may not be real and a form of social engineering. I would email security@wyze.com so they can look into it.
This is an odd notification. What Wyze product would have your router user name and password? I’m not aware of any Wyze product that would need it and it would be strange for Wyze to ever ask for it. Unless someone can name a Wyze product that would need your username/password for your router/modem I would say this sounds like a scam/phishing email.
It was not email, it had to be direct from Apple as it was at the top of the screen showing the Settings of the for the Wyze App. It had information in it that could only have been known by Wyze and Apple. I wish I had taken a screen shot but did not think of it at the time.
This is not via a email spoof, a scam, or social media phishing attempt.
In app in your network settings you must supply the Wifi SID and password, Wyze must store this info on their systems so that the various devices can communicate over your wifi. I believe Amazon does the same except they ask your permission, rather vaguely, but they ask.
Thanks for the clarification! The wifi-network ID and password makes a lot more sense. Still wish Apple wasn’t giving such a vague warning.
I agree with @Rareapple3’s suggestions. Maybe Wyze has had a major data breach (or really, two? because I don’t think wifi-user ID and password is stored on their servers so there would need to be a longer chain of breaches) we’ll be hearing about it but for right now the most likely issue is that Apple’s new ‘data breach’ feature alerted you to a past data breach of your credentials.
But that’s speculation! Do your own homework and trust your own gut.
Correct, this iOS feature and notification from Apple was specific, it said that due to data breech at Wyze my router Wifi and password had been compromised and it provided the named WIFI SID and recommended that it be changed, and that the password be changed as well.
In this discussion, let us not lose sight of the fact that Wyze has apparently done little to notify customers when issues like this have arisen. As a customer I shouldn’t have to go to BleepingComputer, Redit, or CNET, or any of a half a dozen other tech news outlets to learn that they left a database open for internet access and my information was in it. THEY SHOULD BE IN FRONT OF SUCH OCCURRANCES, accept responsibility, and provide guidance on how to remedy the situation. Instead, they remain in the background perhaps hoping the majority of their trusting patrons never find out because it could be bad for sales. In this case I am lucky because Apple had my back.
They have never notified me and now that I know, I am done trusting them, because they didn’t treat me or my data in a professional manner…
BY THE WAY - TO ALL ANDROID MOBILE USERS, your data may have been breeched as well, you aren’t immune, your phone vendor just has no way to notify you.
RECOMMENDATION - unless WYZE can guarantee you were not affected, (good luck with that), to be on the safe side if you own Wyze gear that connects back to WYZE servers, change your WIFI SID and PASSWORD, perhaps regularly, because you never will know when the next data breech could occur.
Now won’t that make having all this ‘smart’ equipment so much more fun to have and use.
Boy, I really wish Apple had given you more context. Without more information it’s very difficult to diagnose or even believe.
Let’s take Wyze v3 cameras. You can’t reset the network settings through the app. It appears the app doesn’t have access to the camera’s wifi settings, just read-only access on the network name. So that means, for some unknown reason, Wyze would have had to setup the cameras to send the wifi-ID and password back to their servers. There is simply no conceivable reason to do this. It’s all risk and no benefit. It doesn’t help Wyze at all to keep this data.
So, either (a) Apple is right and Wyze has been stupidly, secretly harvesting wifi-SSIDs and passwords for no reason and storing them in a database that was breached or (b) Apple is mistaken in some way (e.g. the breach came from somewhere else but got assigned to Wyze).
It’s possible Apple is correct but you’d think if they were that it’d be all over the news (or Apple would provide more information itself). I’m not saying you’re wrong, companies do stupid stuff all the time, I’m just saying this is an extraordinary claim because the chain of events required is so extraordinary.
For example, if Apple claimed there was a Wyze data breach of Wyze account usernames and passwords, or forum names/passwords that would be far more believable. Wyze obviously has databases of that information.
Hopefully, we’ll hear more soon. If you get any more detailed info on the claim or a screenshot I’d be curious to see it.