[Updated 02-13-20] Data leak 12-26-2019

jesus christ…no its not a DDoS attack. Trojan horse??? are you watching a hacker movie from the 90s or something? stop saying useless babble.

3 Likes

what is 2FA

Two factor authentication. The way Wyze sets this up is by sending a text to cell phone when trying to log in.

1 Like

Nope, not watching tv. Just a cyber security professional here parsing thru the available information.

Twelve Security says:

Since there are clear indications that the data is being sent back to the Alibaba Cloud in China, coupled with the fact a similar breach of Wyze occurred only six months ago, a notice wasn’t given to Wyze.

I don’t quite understand how any of that negates responsible disclosure. I would argue if it was indeed malice or incompetence, they would get ripped to shreds anyway by the community.

4 Likes

I was able to change my password through the web access to Wyze, but not through the app. I continue to get a message saying “invalid phone number“

Same thing here. Thru a tip i was able to change my password (forgot password) by logging in thru my desktop browser instead of the app. At least i have a piece of mind by securing my account but unfortunately it currently looks more like an app issue.

Yeah, this seems like a very bad decision without considering the side effect at all.

@WyzeDongsheng @UserCustomerGwen Will there be an email sent out to everyone? I’m sure there are many people who won’t see this post and are wondering what’s going on.

4 Likes

The corporate needs to protect their reputation and its community from the malicious attack.
Don’t wait. Take action. Hire lawyers. Sue them.

This is why I’m not a fan of two factor Authentication using your phone number. Because when something like this happens and you get millions of people all trying to login at the same time it overloads and you can’t get in. we need to come up with a different way of having 2FA

5 Likes

My thoughts exactly!

They exist in the form of authentication apps. Outside of biometrics, authentication apps would be the most secure for this type of use.

Before I get flamed, yes, there are other, more secure types, eg HASP Keys, RSA keys, etc…but most people aren’t plugging a hardware authenticator into their smartphones for a $20 WiFi camera.

2 Likes

I see you’re new here, welcome. Mind you, I’m not suggesting today’s event is a DDoS, but I am suggesting that an earlier, undisclosed attack provided the infiltration vector that has led to this incident. Now of course, I’m only speculating, but as a professional in the field of security, I am reading between the lines of the various issues Wyze has faced over the last 6 months.

1 Like

My Wyze sense shows on alexa correctly and works correctly but my Waze bulb will not respond. I deleted it out. any thoughts on will it just automatically reappear or do I need to add it back in and if so how?

I use the Google Titan security key for my email. I can give you the password to my email and it is impossible for you to login without the key.
I would like to see a local webserver to run all Wyze devices locally without needing to go outside the internet and I would use a VPN in order to access the devices from outside. This is what I have setup for my expensive cameras.

Never trust any data going out to some servers then back to your devices.

1 Like

Ok so now I’m not getting a verification code through text so I can actually log in. Is this part of the hiccup wyze is having or what

Same thing for everyone. Still getting invalid number. Their 2 Factor text servers cannot keep up or are more likely down. The message is poor. Default message being returned for servers that are actually not responding.

Well alright alright…another SecOps user is in the house! I hear you - wouldn’t that be grand! Alas, it is but a mere $20 camera…

1 Like

Be careful setting your notification on this thread to “Watching”.
I must have had 30 emails telling me of new posts to this thread!