[Updated 02-13-20] Data leak 12-26-2019

Where emails sent out to alert customers?!? I did not receive if they did. Also why is there no information/ alert about this on customers account pages or the main web site. From my experience with this company so far, I would expect a bit more than posting on the forums.


Question about the Password Security
I understand the password wasn’t involved in data breach, but I will still be changing mine. However, can Wyze staff let us know if our passwords are stored in the database hashed or as plain text? It would give me much more peace of mind if it were hashed.

Honestly I’m very heartened by Wyze associates’ quick action and the continued openness regarding what, how, why this happened and the resulting security measures Wyze will take going forward.

I was a Wyze fanboy before. Your forthrightness has upped my status to true believer.

Good job Wyze guys (“guys” is not gender specific so don’t get on my case you woke folk).


No emails yet. Wyze said they will be sent to everyone affected. Concerning this is the biggest holiday week (Christmas and New Years) Wyze is probably making sure they have all the facts before the email is sent.


Subject of this post says “updated 12-30” but I don’t see an update from Wyze today?

Edit: Guessing the update was the below post. Would be nice if Wyze would copy all updates to the original post so it’s a central place to look for updates.

Wondering if this has anything to do with this Data leak?

signed…the newbie.

I have yet to figure out how posting works. The order is confusing to me. Probably why I’m not on Twitter.

I am working on an update and will be posting it soon. I changed the forum update time because it changes the link (which is included in the email).


Let me begin by saying that I am in no way a cloud or security expert. I work with cloud database admins and with database/platform security vendors. Basically I know enough to follow along with the conversation and periodically interject with, albeit in my own opinion, pertinent information. With that being said, unless Dan at 12 Security is completely fabricating his information, it all seems extremely plausible. I’m waiting to hear more than just a denial from Wyze on the specific allegations regarding the data being stored, where it is being stored, how it is/was being secured, and who can/has accessed it.

“Wyze does not use Alibaba Cloud. The claim made in the article that we do is false.”

later says…

“Wyze uses Taiwan based P2P service provider ThroughTek who has servers worldwide.
The TUTK servers in China or other countries are hosted in different cloud provider, including Alibaba cloud.”

So WYZE cams do use Alibaba cloud servers that are hosted by TUTK…indirectly it seems.??

What email? i have 4 separate WYZE accounts and emails, that none have gotten any emails to regarding this event.

It was fun to drive back up to my folks. 2hrs away one way, to reset the WYZE products i setup for them on Christmas Eve.

The implication was that Wyze stores production databases and source code on Alibaba cloud, which is false.

The TUTK servers that only provide initial lookup/connection services but don’t store or transmit any customer data are hosted on a number of different cloud providers, one of which is Alibaba.

But that still mean they use/connect to them in some fashion. even of data is not stored there, it still is a connection open to be compromised.
So where was the open access data stored on then?
I thought this database thing was on this open Alibaba server or some other hosting service or internal i house server.? i dont see that info posted anywhere, just that part of the main databases was a copied and made separate for other purposes.
I am kinda lost with all the updates and conjecture of things.

12-30-19 update

Hello again,

We have started sending out the email about the data leak to all customers. If you don’t see it now, it should arrive later due to the batching process. Thank you for your patience while we worked through the logistics of this process. Other things that we are currently working on include enhancing our security processes, improving communication of security guidelines to all Wyze employees, and making more of our user-requested security features our top priority for the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

We have not yet completed our investigation but would like to take the opportunity to answer some questions we have received from the community.

Q&A Updates

What data was exposed?

Our investigation is still in process but we have confirmed the information contained Wyze nicknames (the optional name change in the Account section of the Wyze app), Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens. We refreshed the Alexa tokens so please re-link your Alexa skill if you have not done so yet. We also refreshed the tokens for The Google Assistant and IFTTT.

The information did not contain passwords, personal financial data, or video files.

Who was affected by the breach?

All users that created an account prior to December 26th, 2019.

Why was there a delay in informing affected customers by email?

We wanted to make sure we locked the door before telling everyone it was open. The delay helped reduce the risk of additional parties finding the leak until we locked things down. We waited to send out an email to the entire Wyze community until we could verify exactly how the data was accessed and could say definitively that no more records were exposed. Also, there are also logistic problems involved with sending so many emails at once that we normally do not encounter. Usually, we only send mass emails to a significantly smaller number of newsletter subscribers.

Are you using data security professionals to investigate this? Devs and executives don’t count.

Yes, we are.

How does Wyze protect customer information overseas?

Wyze is headquartered in Seattle, Washington. The majority of our developers, engineers, and employees are here. We also have a Beijing office which has a team of developers, hardware quality assurance people, and product managers but we do not do any business with China’s markets or government. Our servers are set up so that the production servers (along with the exposed servers and any server that contains customer information) are set up in US-based AWS servers. In China, our Beijing developers use a separate test server which allows them to help test and develop products. These servers are hosted on AWS servers in China and do not contain customer information.

Why did users using two-factor authentication (2FA) receive verification texts from multiple phone numbers?

On December 26th, we expanded our 2FA SMS sending line to multiple lines to help accommodate the volume of requests.

What are we doing about international customers using two-factor authentication (2FA)?

Our 2FA method does not function for many of our international customers due to the differences between phone numbers. We are investigating methods to make this available internationally, but it will require infrastructure changes so we cannot promise an immediate release.


Was there an email sent out as soon as this event happened on the 26th??

An update email 4 days later is welcome…but I never saw any notice to inform users of the initial issues and reason why they could not use their products. I had to Google it to find out what why.

edit. Nevermind…i see that was kinda answered in the last update post that appeared as i was typing this post.

I do appreciate the hard work and effort yal have put into responding to all this.


You’re welcome, SpeedingCheetah. We understand where you’re coming from and appreciate you taking the time to talk to us about these things.

1 Like

I hope they are paying you overtime :sweat_smile:

1 Like

i would like to see https://sqrl.grc.com/ for logon option and SSO alternatives!

1 Like