What is up with the data breach?

I never noticed this before but I’m sure someone from wyze will clear this up

From the official Twitter account:

But it says now it’s for sale. Not looking good.

And why would the app login to the mfr’s website?

I think everyone so far has reported it in reference to a saved password. I’m wondering if that means that an older version of the app used this URL. You might be able to test that by removing the password and logging out and in again, to save to your password manager again. Anyway, we can wait for an official comment, but either way, it doesn’t seem particularly suspicious to me.

Definitely a URL in the URL field. http://hualai.com… (no https!)

Full control with China !?!?!? I’m not knowledgeable on security stuff but I can tell you that “trust” is not a word I like to hear in regards to my privacy and China. If routing login traffic through a Chinese URL that has now gone dark was important to operation of the Wyze system what replaced it and who controls that new connection?

Just to be clear here, I’m a huge fan of Wyze and even suggested to my son that he might want to seek employment with the company. I think this current hacking incident could POSSIBLY be the work of Wyze competitors trying to knock them off their stride. Be up front with us Wyze. If you screwed up tell us so and what you’re doing to assure that you keep our loyalty. Otherwise you’ll probably experience a very quick death spiral and it won’t be pretty. Don’t sacrifice security for speed or cost.

They have been and are continuing to be upfront and very responsive. I don’t see how they could be more so. Just FYI their responses are getting lost in the clutter of speculation but that’s actually pretty typical.

I’m in the situation that if they "hack"my cams, get my Wyze passwords it’s a “so what?” occurrence. Except for monitoring things like the dog bowl, the sump pump etc. all my cams (about two dozen) are “outside” cam viewing “Public” place.
I like to keep an eye on my vehicles, my yards etc.
When I saw early on that tinyCam was able to access all my camera names I figured the level of security to expect from Wyze would be minimal. So I fully expect that somewhere in China there may be a person employed to snoop on my cams and see the dog poop in the yard or drink water from his bowl.

Well with TinyCam they either use your credentials for non RTSP cameras or they use no credentials and use the stream on RTSP. Since the camera name is included in the stream either way I don’t see an Issue?

tinyCam dev here. tinyCam uses exactly the same API as Wyze original app. It can get all information from Wyze services if you give tinyCam app Wyze account credentials (they will be stored locally though).
For instance tinyCam supports Google Nest cameras (as well as many others). If you set Nest account credentials in the app all Nest related data (like camera names) will be available to tinyCam app as well.

This Wyze data breach issue not about vulnerability or hacking. It is about Wyze admin mistake IMHO.

P.S. I think as a reputation recovery Wyze should think about ordering Cyber Vulnerability Audit (CVA) from some well known security company to check their whole infrastructure.

P.S. Guys from 12security made a very wrong decision not notifying Wyze about that problem. This shows their low level of expertise. Constantly running network scanners is easy.

Does anyone know what DATA is being stored on Wyze servers? MAC addresses? SSID Name? SSID Passphrase? etc?

From what I know it stores WiFi SSID name and MAC address. But not SSID password.
It stores access and verification token instead of Wyze username and password (Wyze will cancel tokens on their side). So your Wyze account login data are safe regardless what people say in this topic.

I used tinyCam (which I use, paid for and like) as an example because one of the things Twelve Security blog mentioned prominently was

Which tinyCam displays in a VERY nice format (thank you) when I’m adding cams. And it seemed Twelve Security thought that was a security leak but I’ve not heard any complaints about it being a security leak before.
If one wants security it’s difficult to do it low cost. If someone wants to record their family home inside and then put it on a wireless signal which will broadcast 100 meters then they better figure on putting a fence at 200 meters, or put up with the fact that the signal can be captured and hacked.
I strongly agree that a CVA is needed, especially as Wyze starts fielding locks. I don’t mind if some hacker captures my data stream of the dog doing his business on my lawn or the level of water in my sump tank. But I would be severely aggravated about them hacking my locks.

What password manager are you using? Just curious as 1Password and LastPass both show com.hualai not hualai.com ?

This com.hualai hualai.com thing is a non-issue. The password manager is getting it from the app name/id which all Android apps have and are usually based on the web/email address for the account which published them to the Play store originally. Most of them start with com. because most addresses do. I have apps that start with net. and org. The important thing to note is that once published, the developer can NOT change it because that would essentially fork the app and currently installed users would no longer get updates and app data would not transfer over to installs of the new app. Likely the address was used by the Wyze dev with that last name (as seen on the Twitter account posted above) when the app was first created, probably before the name Wyze was even a part of it, or someone developed the app independently and Wyze bought the rights to it. Regardless it has nothing to do with that web address and everything to do with how Play store publishing works. Your data is not being sent to some ghost server on an unclaimed web address, your password manager is guessing the address from the app id.

It’s Last Pass I’m using , this is what shows up , http://hualai.com
I just put the login for the app in the password manager on the 26th when I changed my password I did not have it in there before that , so, It’s not old.
I’m not worried about it , I’m just posting what it shows in there

Okay that makes sense. If you don’t give LastPass a URL it constructs one based on the app ID. The constructed URL is often incorrect as in this case. Since I supplied the correct URL when I created the login in LastPass I never saw the manufactured one.

Yes I didn’t create it, I just let lastpass save it

Now that I think about it, I understand what’s happening. Sometimes if your login is on a subdomain, for example, it tries to add the entire domain. 90% of the time, that’s useful, but sometimes it’s not, and it tries to autofill my password somewhere where it wouldn’t be used. I’m guessing this would probably be coming from similar logic within LastPass. It’s not actually sending your passwords there, it’s just guessing that you might want it to be autofilled on that domain, basically.