Internet-connected device maker Wyze Labs Inc. has suffered a data breach, though the company claims there’s no evidence the data was accessed by any nefarious third parties.

The data breach, first detailed by 12 Security Dec. 26, involved an unsecured Elasticsearch database with 2.4 million customer records. The database included the user names and emails of those who were using Wyze cameras along with various details such as the model of the camera, connection times, account and camera login tokens, and WiFi network names.

Emphasizing how the data in the unsecured database could be used to identify users, security information firm IVPM took the data and matched it to its own staff who had reviewed Wyze products in the past.

Wyze confirmed receiving notification at 9:21 a.m. PST Dec. 26, noting originally that it was unable to confirm the data breach. As a precaution Wyze upped security on its system databases and pushed out a token refresh to all Wyze users.

The company confirmed the data breach Dec. 27, saying that “some Wyze user data was not properly secured and left exposed from December 4th to December 26th.” Today, Wyze updated the thread to say that it had since discovered an additional database that was left unprotected. “This was not a production database and we can confirm that passwords and personal financial data were not included in this database,” the update reads.

The data is said to have been accidentally left exposed when it was transferred to make the data easier to query. But in a story similar nearly every other data breach involving cloud storage, a Wyze employee is claimed to have “failed to maintain security protocols.”

Wyze’s transparency after the data breach, including regular updates, processes being undertaken and proactive steps to protect customer security, is commendable. But in an age when Elasticsearch and other cloud-related database breaches are in the news nearly daily, there’s no excuse for the data to have been exposed in the first place.

Much of the security community is currently on holiday, but it’s easy to know what experts would say. It’s imperative that companies put in place processes to makes sure that cloud-hosted data is secured at all times. That includes employee education, internal processes and software designed to test regularly for public-facing data that shouldn’t be.

Photo: Davidlamma/Wikimedia Commons