Wyze exposes 2.4M customer records via unsecured Elasticsearch database
Internet-connected device maker Wyze Labs Inc. has suffered a data breach, though the company claims there’s no evidence the data was accessed by any nefarious third parties.
The data breach, first detailed by 12 Security Dec. 26, involved an unsecured Elasticsearch database with 2.4 million customer records. The database included the user names and emails of those who were using Wyze cameras along with various details such as the model of the camera, connection times, account and camera login tokens, and WiFi network names.
Emphasizing how the data in the unsecured database could be used to identify users, security information firm IVPM took the data and matched it to its own staff who had reviewed Wyze products in the past.
Wyze confirmed receiving notification at 9:21 a.m. PST Dec. 26, noting originally that it was unable to confirm the data breach. As a precaution Wyze upped security on its system databases and pushed out a token refresh to all Wyze users.
The company confirmed the data breach Dec. 27, saying that “some Wyze user data was not properly secured and left exposed from December 4th to December 26th.” Today, Wyze updated the thread to say that it had since discovered an additional database that was left unprotected. “This was not a production database and we can confirm that passwords and personal financial data were not included in this database,” the update reads.
The data is said to have been accidentally left exposed when it was transferred to make the data easier to query. But in a story similar nearly every other data breach involving cloud storage, a Wyze employee is claimed to have “failed to maintain security protocols.”
Wyze’s transparency after the data breach, including regular updates, processes being undertaken and proactive steps to protect customer security, is commendable. But in an age when Elasticsearch and other cloud-related database breaches are in the news nearly daily, there’s no excuse for the data to have been exposed in the first place.
Much of the security community is currently on holiday, but it’s easy to know what experts would say. It’s imperative that companies put in place processes to makes sure that cloud-hosted data is secured at all times. That includes employee education, internal processes and software designed to test regularly for public-facing data that shouldn’t be.
Photo: Davidlamma/Wikimedia Commons
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.