What is up with the data breach?

Doesn’t anyone think that this is kind of fishy?
Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users as some of the data that was exposed?

As of yet the alleged breach has not been verified. The official information can be found here

I agree, but what I’m trying to figure out is how does Wyze know how much I weigh, and how much protein I eat. Maybe I am kind of cynical, but that last line screams to me of trolling. Maybe I’m wrong. I really don’t know.

If verified to be true, I assume that would be related to hardware testers for the Wyze Scale.

4 Likes

@nerdland beat me to it but yes I am guessing those are items for the scale test

2 Likes

Hadn’t thought of that. Kind of off my radar.

Maybe I am just getting old and tired.

2 Likes

At least I can still turn off my lights with the Alexa app. I have no cameras but I’m not sure that I remember how to use a light switch, and I’d hate to have to ask my wife how to do that. Hoping when I get up for with on the morning all will be right in the world again.

2 Likes

After reading the entire IPVM post an report, this seams pretty bad and more than just alleged. They even provided screen shots the accessible data from one of their own employees as proof of the breach. I also didn’t know about the lawsuit they mentioned.

I’m pretty sure the lawsuit is from a patent troll, but I don’t think Wyze has commented on it publicly, probably based on legal advice. It’s not something that would affect customers very much.

As for the report, I think we should wait for a further update from Wyze. I don’t know any details, but it’s very unusual that a legitimate security firm or white-hat hacker wouldn’t first report it privately, so that Wyze would have the opportunity to fix the issue before an announcement was made. It’s also unusual that Wyze can’t verify a breach, if IPVM reported it to Wyze, and IPVM was able to verify it independently. That seems to imply that IPVM hasn’t shared the method with Wyze, perhaps because it doesn’t have direct access to the method, if it exists at all. But I’m just speculating.

2 Likes

In the article it says there is a publicly accessible Elasticsearch database. That’s very easy to verify, so if it’s true I would have expected Wyze to find and verify that right away. Since Wyze seems to be unable to verify IPVM’s claims that makes me wonder if IPVM has accurate information.

4 Likes

I do hope that’s the case. I’ve been an early adopter for quite some time and really like Wyze both for their products and the company and its employees.

I’m curious why my password manager on my Android phone links to hualai.com for access to the Wyze app… That domain is registered in Taiwan. Does anyone else have suspicious login URLs? Could this be related in any way to what’s going on here?

12/27 @ 4:24AM – According to archive.org hualai.com has been for sale since 2003 although there are some holes midway in the timeline. That means that it wasn’t operational during the snapshots taken by the Wayback machine. Was it a decoy of some sort? Why would my password manager have linked to it? It was an automatic linking, I didn’t enter the record manually.

MOD NOTE: Post edited to conform to the Community Guidelines

And that domain is for sale.

One wonders how many more of those links are embedded in the firmware that Wyze has overlooked? And how many of them has changed hands since Wyze acquired the rights to the firmware?

I cannot agree with this more.

@dan49 @qlang243 Are you guys sure you saw a reference to “hualai.com” and not “com.hualai”? On Android, Wyze’s ID for purposes of the Google Play store is “com.hualai,” which you can see referenced in this URL. I don’t know the exact history or reason for that, but I’m assuming it’s related.

Regardless, “Hualai” is definitely a name that’s associated with Wyze in some capacity, so I wouldn’t consider this to be suspicious.

https://play.google.com/store/apps/details?id=com.hualai

I can confirm in my password manager the last letter is an i not an L
hualai

I didn’t ask about an “L”. They said something about the login connecting through “hualai.com”. I was wondering whether they were actually seeing Wyze’s Google Play app ID , which is “com.hualai”, and is not a URL at all.

2 Likes

the full url showing in my password manager is hualai.com

Okay. Good to know. Regardless, it’s definitely a name associated with Wyze and not something I’d consider suspicious. :slight_smile: