[Updated 02-13-20] Data leak 12-26-2019

I am working on an update and will be posting it soon. I changed the forum update time because it changes the link (which is included in the email).

6 Likes

Let me begin by saying that I am in no way a cloud or security expert. I work with cloud database admins and with database/platform security vendors. Basically I know enough to follow along with the conversation and periodically interject with, albeit in my own opinion, pertinent information. With that being said, unless Dan at 12 Security is completely fabricating his information, it all seems extremely plausible. I’m waiting to hear more than just a denial from Wyze on the specific allegations regarding the data being stored, where it is being stored, how it is/was being secured, and who can/has accessed it.

“Wyze does not use Alibaba Cloud. The claim made in the article that we do is false.”

later says…

“Wyze uses Taiwan based P2P service provider ThroughTek who has servers worldwide.
The TUTK servers in China or other countries are hosted in different cloud provider, including Alibaba cloud.”

So WYZE cams do use Alibaba cloud servers that are hosted by TUTK…indirectly it seems.??

What email? i have 4 separate WYZE accounts and emails, that none have gotten any emails to regarding this event.

It was fun to drive back up to my folks. 2hrs away one way, to reset the WYZE products i setup for them on Christmas Eve.

The implication was that Wyze stores production databases and source code on Alibaba cloud, which is false.

The TUTK servers that only provide initial lookup/connection services but don’t store or transmit any customer data are hosted on a number of different cloud providers, one of which is Alibaba.

But that still mean they use/connect to them in some fashion. even of data is not stored there, it still is a connection open to be compromised.
So where was the open access data stored on then?
I thought this database thing was on this open Alibaba server or some other hosting service or internal i house server.? i dont see that info posted anywhere, just that part of the main databases was a copied and made separate for other purposes.
I am kinda lost with all the updates and conjecture of things.

12-30-19 update

Hello again,

We have started sending out the email about the data leak to all customers. If you don’t see it now, it should arrive later due to the batching process. Thank you for your patience while we worked through the logistics of this process. Other things that we are currently working on include enhancing our security processes, improving communication of security guidelines to all Wyze employees, and making more of our user-requested security features our top priority for the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

We have not yet completed our investigation but would like to take the opportunity to answer some questions we have received from the community.

Q&A Updates

What data was exposed?

Our investigation is still in process but we have confirmed the information contained Wyze nicknames (the optional name change in the Account section of the Wyze app), Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens. We refreshed the Alexa tokens so please re-link your Alexa skill if you have not done so yet. We also refreshed the tokens for The Google Assistant and IFTTT.

The information did not contain passwords, personal financial data, or video files.

Who was affected by the breach?

All users that created an account prior to December 26th, 2019.

Why was there a delay in informing affected customers by email?

We wanted to make sure we locked the door before telling everyone it was open. The delay helped reduce the risk of additional parties finding the leak until we locked things down. We waited to send out an email to the entire Wyze community until we could verify exactly how the data was accessed and could say definitively that no more records were exposed. Also, there are also logistic problems involved with sending so many emails at once that we normally do not encounter. Usually, we only send mass emails to a significantly smaller number of newsletter subscribers.

Are you using data security professionals to investigate this? Devs and executives don’t count.

Yes, we are.

How does Wyze protect customer information overseas?

Wyze is headquartered in Seattle, Washington. The majority of our developers, engineers, and employees are here. We also have a Beijing office which has a team of developers, hardware quality assurance people, and product managers but we do not do any business with China’s markets or government. Our servers are set up so that the production servers (along with the exposed servers and any server that contains customer information) are set up in US-based AWS servers. In China, our Beijing developers use a separate test server which allows them to help test and develop products. These servers are hosted on AWS servers in China and do not contain customer information.

Why did users using two-factor authentication (2FA) receive verification texts from multiple phone numbers?

On December 26th, we expanded our 2FA SMS sending line to multiple lines to help accommodate the volume of requests.

What are we doing about international customers using two-factor authentication (2FA)?

Our 2FA method does not function for many of our international customers due to the differences between phone numbers. We are investigating methods to make this available internationally, but it will require infrastructure changes so we cannot promise an immediate release.

14 Likes

Was there an email sent out as soon as this event happened on the 26th??

An update email 4 days later is welcome…but I never saw any notice to inform users of the initial issues and reason why they could not use their products. I had to Google it to find out what why.

edit. Nevermind…i see that was kinda answered in the last update post that appeared as i was typing this post.

I do appreciate the hard work and effort yal have put into responding to all this.

2 Likes

You’re welcome, SpeedingCheetah. We understand where you’re coming from and appreciate you taking the time to talk to us about these things.

1 Like

I hope they are paying you overtime :sweat_smile:

1 Like

i would like to see https://sqrl.grc.com/ for logon option and SSO alternatives!

1 Like

Hi @UserCustomerGwen are there any Q&A for the latest blog post for the data warehouse being possibly exposed ? this seems more of an issue of the elastic search being exposed. Not to worried about the whole china server thing.
but it does look like devops are running without any basic security 101, no excuse to have no auth on a database and only use simple ip whitelisting, if that was the only protection :frowning:
hopefully this will result in full logging of all actions from camera , app, users and mfa(2fa) with google auth, email otp, other oath/sso

1 Like

We are going to be making changes to improve our security practices and have already started. However, I can’t give you more details at this point due to us not having completed the investigation yet. We will continue to post in here as we learn more and appreciate your patience and feedback as we work through this process.

5 Likes

@UserCustomerGwen

What will the subject or sender be? I get some many emails i don’t want to miss it. Thanks for all you’ve done. Have a Happy New Year. :confetti_ball:

1 Like

I believe that the subject will be “An Update from Wyze”. Thanks for checking in and Happy New Year to you, too!

4 Likes

I find it troubling that I had to find out about this breach from the news, instead of directly from Wyze. And Wyze is just now going to send out emails about it to us…seriously?

thanks @UserCustomerGwen

1 Like

We’re sorry, Resist. We understand where you’re coming from.

1 Like