I’ve seen this several times – that only the SSDI was exposed. And yes, I don’t see much value in getting the SSID name, without the password.
But let’s flip it and also ask, why does Wyze have the SSID in its database? I don’t see any value there, either.
Fair question. Honestly don’t know. Hopefully someone with more knowledge will be able to answer.
My assumption would be to make it easier to set up the next device by pre-populating it in the app, even if it’s on a different device, but I agree, probably low value, and just makes people more scared for no reason (especially with the CCPA law where they’d probably need to disclose that they collect this). They should just keep it in local storage on the app, chances are you’d set up the next device using the same phone.
It doesn’t need to save those in the cloud. It can be saved to the local mobile device. In fact, it does it now for both SSID name and password.
IIRC…Wyze needs the SSID so if your cam(s) go off line it can reconnect.
signed…the newbie.
Not true. The camera must save both locally as well. Because, how can it get anything from the Wyze server if it can’t even connect to the WiFi?
Only Wyze can answer that specifically. I do have other brands of smart devices That save the network info to make adding additional devices easier. Amazon must save not only network SSID, but passwords I think also because when I’ve added a new Echo or Fire TV it connected to my network automatically. I don’t see any reason for Wyze to save SSID though because they don’t function like that, but perhaps in the future?
Fortunately I use unique email addresses for all services, specifically so that when they get leaked I can close them out and avoid the spam.
How do I change the email address on my Wyze account? It doesn’t seem to be possible.
It’s not currently possible to change your email address. The best you can do is create a new account and re setup all your devices.
I am guessing this may change soon but I am just guessing.
Here is the Wishlist topic where that is discussed and on which you can vote:
I’m in the process of deleting an old email address/account. I’ll report back how it went.
Wyze storing the SSID on their servers makes no sense to me. Why are they doing this???
The # of replies in this thread makes it hard to keep up with notifications. I want to ask a few questions about the current response from Wyze and the latest blog posts from 12Security.
Based on the previous responses from Wyze there was the identification of a limited set of data that was accessible via ElasticSearch, however, the 12Security blogs is now going into claims about direct database access which goes well beyond the scope of what was previously identified by Wyze as being accessible. Based on the current claim it appears that the entire underlying SQL database was accessible which greatly expands the scope of data. Can you please confirm / make a statement (when appropriate) of the new claims / broader level of data accessible. Also, there are claims of source code which was accessible that contained hard coded AWS credentials. What were the roles/access of those credentials? are the limited to S3 access or were they more broad where the entire AWS infrastructure could have been compromised by a 3rd party and left behind “active” elements (eg is a detailed audit of the ENTIRE AWS infrastructure/OS elements planned) ?
The previous claims of data being exposed were tied to a Dec 4th date (which coincidently matched the dated of Shodan/Binary Edge) , however there are new claims about data being accessible since early 2019. can you please confirm how long data was accessible (FYI. if there is a first found data on Shodan/BE of X, then usually data was available prior to that date as they usually work on weekly / bi-weekly scans) how was your date of Dec 4th which matched Shodan/BE determined? was it confirmed with AWS/OS logs on the ElasticSearch server?
There was mention on the 12Security latest blog post about a notice from Dark Cubed about encryption “infrastructure” related issues reported (eg possible interception of the download of the cert used, which could lead to later snooping) The link on the 12security site are broken with regards to the details but it is unclear if Wyze was aware of this previous report. Was Wyze aware of this report? if so what was done with regards to the issure prior to this latest data breach (and why would it not lead to a more “Security” aware situation at wyze where the breach might have been prevented / discovered earlier by in-house staff and not 3rd parties) ?
Thanks!
Hi Darryl, we have seen the 12Security Essay #3 today. In short, we don’t believe our production database was compromised. We were aware of the Dark Cubed report. The issue was already addressed by Wyze. Wyze will go through the items listed in today’s post and reply as needed. We take customer’s security seriously and will try our best to protect our customers. Thanks!
Thank you for the quick reply
Same here! Deleted from both Alexa and Google, then added them back but nothing works. I cannot turn on lights unless I use the wyze app. When will this all be fixed?
Didnt work for me 
Did you logout and back in on both Wyze and the Alexa apps ?
Delete and add the Wyze skill in Alexa … delete Wyze affected devices …then Discover ?
May also need to redo the Routines affected.
If you did that open a support ticket
You don’t need to delete anything in fact doing so won’t resolve the issue as you have seen. Unlink the Wyze Alexa skill and then relink it. In IFTTT also unlink the Wyze skill and then relink it.