An email address that I ONLY use for Wyze (to include Wyze forums here) has been getting some intermittent spam. Some of this spam has my real name in it.
I have my own domains, and dozens of email addresses that I have sandboxed off for different purposes (banking, retail, subscriptions, etc.) and have never encountered this on any of them except the one I only use for Wyze.
With all the security breaches of different companies going on, has Wyze had a breach of their main site or the forum?
Meanwhile, I probably should change the email address with my Wyze account and the forum.
Before changing email address, I would contact the Wyze Security Team by sending an email to security@wyze.com with your email’s From address the same as the email address in question.
And don’t delete your spam yet, because security will probably ask for examples as attachments to scour the header info.
I would agree with my friend @Seapup security Will definitely want to look at that and get examples and there might be information they can pull from it that the general public wouldn’t. It might even be something they’re already working on. Getting it directly to the security team is the best bet although sadly we can’t give you a much more pass there.
good catch on it!!! most people probably would have missed that!
I’m making the following assumptions, but they could be wrong:
I don’t think it’s a breach on Wyze since the unique secondary Wyze accounts I use for testing/helping aren’t getting spam. (However, there are different kinds of breaches, and doesn’t need to be complete)
Assuming it’s not due to a phishing attack
Not email harvesting (assuming the email isn’t posted publicly anywhere)
Not random generation
Not Malware or intrusively snoopy apps (IDK, I’ve read some pretty concerning examples from some apps sniping things they shouldn’t be able to, even when you’ve never used them… For example, preloaded bloatware of Facebook or Meta still spies on people who have never opened it or used it or ever logged in and don’t even have a meta account… While I’m not accusing Meta in particular, the idea itself is concerning.
The email address doesn’t show up in the haveibeenpwned database.
Could one of Wyze’s third party partners be at fault? For example,
The companies they use for their newsletters and email marketing?
The company they use for their e-commerce/shopping on the website or app? I believe they use Shopify for one of them and another company for the other. Plus they use Amazon’s Buy with Prime. They also use a company to sell things in payment installments. All of those could collect different info. I believe they also have another partner for processing their service subscriptions.
Google and Braze help them with “anonymized” use data" but could potentially access info.
The forum Software is through Discourse.
Customer Support partnerships for various things (chat, VoIP, etc)
Integrations (Alexa, IfTTT, Google Home, Google Fit, more)
I could certainly see it being a complicated investigation involving a lot of assumptions or potential 3rd party explanations, but still something very much worth investigating to the degree possible.
My main question would be why it’s not widespread, including happening to my unique emails used only for secondary Wyze account testing I’ll keep an eye out though.
After having exhausted everything I can check, I did check haveibeenpwned, and nothing reported there.
My email address in question is actually hard to guess (brute force). I’ve never used it anywhere except with Wyze. I would not care about maybe one spam a month, except the spam has my name in it in the same manner as registered on my Wyze account.
Anyway, we’ll see if Wyze Security comes back with anything.
Yeah! I’m interested to hear if anything is discovered. I have my own domain as well, and have been intending to update all of my logins to have a unique email address for every login, similar to also having unique password. If I don’t reuse the exact same email for every login, that’s just an added bit of security.
So I’ve always been intending to do this. I just haven’t gotten around to it yet.
It was a generic cut-and-paste form letter response “we take our customers’ data safety seriously…” blah, blah, blah. Didn’t even acknowledge the attached spam emails I included. The response could have been written by a GPT bot.
I’ll just change my passwords for now. Maybe I’ll change my Wyze email address later.
I usually assume the first contact is a default response initially to indicate that they received your message aren’t ignoring you. Hopefully they check more thoroughly and get back to you with more info if they find anything. I’d be interested if you get any follow-up and I’ll keep an eye out in the other platforms too for anything similar, and when/if I end up switching my main account and others to unique identified logins I’ll pay attention on my end too.
I’ll keep an eye out though.