IoT vendor accidentally exposes data of 2.4 million users

Wyze logo - Featured image

Wyze, an American IoT vendor, confirmed a server leak that exposed the records of approximately 2.4 million customers. 

The company’s co-founder Dongsheng Song said the leak was accidental and was most probably the result of human error. 

The exposed database, an Elasticsearch system, was not a production system, although it did contain valuable customer data. 

The server is designed to run high-powered search queries and was set up to help sort through the company’s massive amounts of customer information.

The compromised data included email addresses used to create Wyze accounts, nicknames users assigned to their Wyze security cameras, WiFi network SSID identifiers and Alexa tokens used for connecting Wyze devices to Alexa devices.

The leak was first picked up by cybersecurity firm, Twelve Security, before being confirmed by data security blog, IPVM.

According to Song, Wyze was only given 14 minutes to fix the leak before the information was made public.       

Song went on to deny some of the claims made by Twelve Security, including assertions that Wyze API tokens had been exposed via the server and that user data was being sent to an Alibaba Cloud server in China.