What is up with the data breach?

I’m in the situation that if they "hack"my cams, get my Wyze passwords it’s a “so what?” occurrence. Except for monitoring things like the dog bowl, the sump pump etc. all my cams (about two dozen) are “outside” cam viewing “Public” place.
I like to keep an eye on my vehicles, my yards etc.
When I saw early on that tinyCam was able to access all my camera names I figured the level of security to expect from Wyze would be minimal. So I fully expect that somewhere in China there may be a person employed to snoop on my cams and see the dog poop in the yard or drink water from his bowl.


Well with TinyCam they either use your credentials for non RTSP cameras or they use no credentials and use the stream on RTSP. Since the camera name is included in the stream either way I don’t see an Issue?

tinyCam dev here. tinyCam uses exactly the same API as Wyze original app. It can get all information from Wyze services if you give tinyCam app Wyze account credentials (they will be stored locally though).
For instance tinyCam supports Google Nest cameras (as well as many others). If you set Nest account credentials in the app all Nest related data (like camera names) will be available to tinyCam app as well.

This Wyze data breach issue not about vulnerability or hacking. It is about Wyze admin mistake IMHO.

P.S. I think as a reputation recovery Wyze should think about ordering Cyber Vulnerability Audit (CVA) from some well known security company to check their whole infrastructure.

P.S. Guys from 12security made a very wrong decision not notifying Wyze about that problem. This shows their low level of expertise. Constantly running network scanners is easy.


Does anyone know what DATA is being stored on Wyze servers? MAC addresses? SSID Name? SSID Passphrase? etc?

From what I know it stores WiFi SSID name and MAC address. But not SSID password.
It stores access and verification token instead of Wyze username and password (Wyze will cancel tokens on their side). So your Wyze account login data are safe regardless what people say in this topic.


I used tinyCam (which I use, paid for and like) as an example because one of the things Twelve Security blog mentioned prominently was

Which tinyCam displays in a VERY nice format (thank you) when I’m adding cams. And it seemed Twelve Security thought that was a security leak but I’ve not heard any complaints about it being a security leak before.
If one wants security it’s difficult to do it low cost. If someone wants to record their family home inside and then put it on a wireless signal which will broadcast 100 meters then they better figure on putting a fence at 200 meters, or put up with the fact that the signal can be captured and hacked.
I strongly agree that a CVA is needed, especially as Wyze starts fielding locks. I don’t mind if some hacker captures my data stream of the dog doing his business on my lawn or the level of water in my sump tank. But I would be severely aggravated about them hacking my locks.

1 Like

What password manager are you using? Just curious as 1Password and LastPass both show com.hualai not hualai.com ?

This com.hualai hualai.com thing is a non-issue. The password manager is getting it from the app name/id which all Android apps have and are usually based on the web/email address for the account which published them to the Play store originally. Most of them start with com. because most addresses do. I have apps that start with net. and org. The important thing to note is that once published, the developer can NOT change it because that would essentially fork the app and currently installed users would no longer get updates and app data would not transfer over to installs of the new app. Likely the address was used by the Wyze dev with that last name (as seen on the Twitter account posted above) when the app was first created, probably before the name Wyze was even a part of it, or someone developed the app independently and Wyze bought the rights to it. Regardless it has nothing to do with that web address and everything to do with how Play store publishing works. Your data is not being sent to some ghost server on an unclaimed web address, your password manager is guessing the address from the app id.


It’s Last Pass I’m using , this is what shows up , http://hualai.com
I just put the login for the app in the password manager on the 26th when I changed my password I did not have it in there before that , so, It’s not old.
I’m not worried about it , I’m just posting what it shows in there

1 Like

Okay that makes sense. If you don’t give LastPass a URL it constructs one based on the app ID. The constructed URL is often incorrect as in this case. Since I supplied the correct URL when I created the login in LastPass I never saw the manufactured one.

Yes I didn’t create it, I just let lastpass save it

Now that I think about it, I understand what’s happening. Sometimes if your login is on a subdomain, for example, it tries to add the entire domain. 90% of the time, that’s useful, but sometimes it’s not, and it tries to autofill my password somewhere where it wouldn’t be used. I’m guessing this would probably be coming from similar logic within LastPass. It’s not actually sending your passwords there, it’s just guessing that you might want it to be autofilled on that domain, basically.

1 Like

That’s it exactly. Most password managers try to guess where the web link should be if they can’t determine it otherwise. They don’t actually send anything there, unless you choose “Open and Fill” or whatever your managers equivalent is.

I’ve asked the LastPass support staff to review this part of the thread to keep us from having to guess how their software works.

1 Like

I’m pretty pissed off that i heard about this breach via the internet and STILL have not heard through Wyze in any form that it happened. I have been a loyal customer and love your products. I ordered the doorlock! (which i still have not received). I dont even know if I want to use it now that i’ve heard about this breach and the lack of any confirmation from Wyze. When did you plan on sending out the email… oh btw we left your information out there without any security for the world to see, this happened a few weeks ago, sorry we are just letting you know now.

This is a total lack of concern… and it may be the end of my relationship with Wyze.

you could have handled this in a much better way.

MOD NOTE: Post edited to conform to the Community Guidelines

Wow, do you even read the posts?

He/she means reaching out to customers directly. The percentage of customers that come to the forum is probably very small. I’m surprised too that it’s taking them to figure out how to word the apology email that should be coming.

I would think it’s less about “wording” and more about making sure all the information is known and correct before they send something.

I would think that since they knew mostly info easily obtained by other means was "leaked " they admitted to it promptly then tried to get “The Suits” to agree.
Remember HOLIDAYS !

What is this “holiday” thing you speak of?