Very alarming that the databases didn’t have cert auth or ldap/local userpass as 1st line of defence and hopefully shown up in logging for any unusual login attempts , You need to treat anything in aws as on the internet, even if you have private vpc links, as it only takes 1 fat finger moment to mess up the security groups, not like the good ole days of internal infrastructure was internal.
This kindof reminds me of when MyFitnessPal was breached, but you know 144 million unique email addresses alongside usernames, IP addresses and passwords hacked and put onto the dark web.
This is what MyFitnessPal posted.
Do people still use this service? yes, yes they do.
I could go on to all the companies. I do wonder though to those that are posting that they are “pissed” if they know about all the companies that have leaked their data. I recommend checking here https://haveibeenpwned.com/
This was posted before, but, want to repost it so people can check if their email has already been leaked.
Thankfully, no camera streams were hacked in this event, that I know of. If we find out that happened, this could be a different story altogether.
Super disappointed with the response to this issue from Wyze. The lack of details directly provided to users is disturbing. The inability to change my email on the account is a major problem for me. I have Wyze cams in multiple distant locations on multiple networks and it’s just not possible to start a whole new account, add all the products, and redo all the settings without traveling.
And now the forum moderators are closing the comments like this one as fast as they can. Boo.
Anyone else here ready to go elsewhere? I loved the hardware and price until now.
I posted my comment because none of the responses that I saw have provided an immediate resolution to my issue. Due to Wyze’s decision to not allow email changes, I can’t take steps via the app or website to entirely mitigate the potential damage caused by the revealing of email information. It will cost me time and money to travel to the sites where I have cameras installed. I know that some people don’t think that the breach poses a security risk, but I do. So, yes, I will be dumping my Wyze cams and installing a different remote monitoring solution. Thanks for all the responses that have confirmed that my only option is to ditch Wyze.
It’s too bad that the inability to change your email address is going to cause you to “dump” all of your Wyze cams.
But that happens frequently on this forum that someone finds out they can’t do something they need to do and decide to get rid of cams,
So my offer still stands.
But I’ve got cams at separate locations also. And I have to travel about 1600 miles round trip to change anything. But for me this “breach” does not seem to be a problem for the way I use the cams. And they have performed very well remotely.
Please vote members …before we loose more of you.
You can change your email by deleting your account, create a new account under a new email address, and assign the cameras to the new account.
Perhaps leeving’s problem is the travel to push the setup button. I’ve left most of my remote cams on FW188.8.131.52 due to apprehension of them messing up while over 800 miles away.
And it’s difficult to reload firmware via SD card at a distance.
Can you please use one of any of the major Authenticator apps for 2FA?
It is insane after a huge breach you’d recommend we provide you with more of our personal data (phone number).
Google, Symantec, etc. doesn’t matter just pick one.
I haven’t seen the moderators delete any comments unless they devolved into name-calling and things like that. Sometimes they’ll redirect comments into the proper threads to keep things organized, but that’s not the same thing. Comments like yours are perfectly fine.
looks like someone is doing a hit job on Wyze (regardless of the reasons or validity) so there went most communications from wyze to users. Suspect everything will have to be said very carefully from this point forward (and will take forever to release statements)
Maybe they should hire a PR firm as well as a good Security Consulting company…
“Song showed his dissatisfaction with how the two parties, Twelve Security and IPVM, handled the data leak disclosure, giving Wyze only 14 minutes to fix the leak before going public with their findings.”
Imagine the dissatisfaction of a Wyze user learning about this security breach in the news. If this was exposed on 12/26, why—on 12/29–hasn’t there been a single email from Wyze to users about this breach??f
This is disappointing.
I had faith in this company, being small and a startup.
It was reported on 12/26 with no advance notice to Wyze. (Which is a very shady way for a “security firm” to behave) Wyze wasn’t able to verify it until the following day, the 27th. They’ve posted several updates since then, and they’re still fact-finding. They’ve already said that they’re planning an email. I expect you’ll see one very soon.
Welcome to the community!!
yea, it is very sad the events that have unfolded here. Wyze will be sending out an email soon.
The “security firm” did not submit the data in a way that is the way all other security firms submit their findings, and this has caused a confusion amongst customers because it hit the news outlets before it was supposed to, leading to the issue of timing.
If you owned a business like Wyze, and put yourself in their shoes, you may understand why the email has not been sent out as of yet.
This is turning out to be more and more problematic. While I’m in no position to speculate on the china allegations, the lack of proper security is very troublesome. Wyze needs to reevaluate their strategy for new products right now, and put all of their focus into a redesign of their security, properly will help from an external trusted security company, if they want to have any chance to maintain their good reputation.
They can’t use the “we are new” excuse anymore, not with the amount of customers, products and data, they have the responsibility for.
14 Minutes is a life time in the cyber world !
We are not technology-illiterate people.
Stop outsourcing security to off-shore and hire American !
A friend sent me a Market-watch link last night ( (12/29): Smart-device maker Wyze confirms data leak that could affect millions - MarketWatch
It has been updated since to state"Co-founder says no passwords or financial data were exposed".
It’s apparent that the team is working very hard to identify and resolve any customer harm.
My first instinct was to go to the Wyze homepage, NO EXPLANATION found.
I then found this forum thread: you are here: [Updated 02-13-20] Data leak 12-26-2019
This morning I received a “Welcome to Wyze.com!” from email@example.com but NO EXPLANATION.
The absence of a homepage link to this thread and the absence of an e-mail blast to users creates the impression of something to hid in our conspiracy theory driven world. PLEASE be even more forthcoming and err on the side of over-communication.
I purchased my WyzeCams for secure(encrypted) cloud storage. Does this breach tell me that the keys to the secure video storage are NOT secure?
Nevertheless, I am comfortable while awaiting a fully informed response from the Wyze team. My setup:
- 2FA enabled
- Separate IoT SSID for Wyze Cameras
- No WyzeCams in living spaces
oh, yeah, I changed my password too. 'cause you know, paranoid. (it couldn’t hurt)
I will still support Wyze because I hate big companies especially telecoms etc, with their death grip monopoly on everything.
You want into a grocery isle and you have the option of 500 cereals but want to get health insurance and they are just 2 or 3.
PS: the 500 cereal choices is just an illusion - 99% are owned by 1 company.
That’s your stupid Lessie Faire for you.
I suggest you do some more reading. That particular blog post has been responded to many times. Wyze has been very forthcoming about what was exposed, how it was exposed and why it was exposed. And of course what has been done to mitigate the exposure.