The initial reports were questionable, but apparently (mostly) accurate. Wyze has suffered from a data leak, exposing 2.4 million customers.
It’s been a strange story to verify, but it appears that smart home company, Wyze, is the latest company to suffer from a data leak. The initial reports were certainly questionable. We first saw the story on SlashGear which offered this earlier:
The initial security breach claim was published by ‘Twelve Security,’ a website that describes itself as a ’boutique consulting firm.’ The report claims that Wyze’s production databases ‘were left entirely open’ for anyone to access, exposing data from 2.4 million users. The report claims the exposed data includes email addresses, lists of cameras with their nicknames, WiFi SSID, API tokens, Alexa tokens, and more.
Oddly enough, the report also claims the leaked databases included various ‘health information’ on some users, including things like height, weight, bone mass, and more. The author of the blog post apparently did not reach out to Wyze before publishing this information to the public, stating in the post that ‘the database is currently live and open. Anyone can access it.’
The report doesn’t include any screenshots of these alleged leaks nor any details about how they were discovered, providing very little to go on. However, soon after Twelve Security published its report, another security company called IPVM published its own blog post claiming that it confirmed the breach after speaking with Twelve Security and reviewing the records.
The IPVM post does contain a single screenshot showing Wyze log events and select other data. Twelve Security has alluded to this as potentially being an act of espionage, claiming that the exposed users are located in countries outside of China. Beyond that, Twelve Security alleges that ‘there are clear indications that the data is being sent back to the Alibaba Cloud in China.’
When we saw this, we thought it over and decided that maybe this isn’t the most reliable story to run. The reason is that it didn’t make any sense that a smart home company would be tracking bone density of customers. Why would it? What would the customer gain from that? Additionally, how could something like camera equipment track something like that in the first place? For those reasons, we decided to ditch this story for something a little more reliable.
Now, it seems that later reports actually made this story credible. Geekwire is has run their own story on this one and received a response from Wyze. Wyze actually said that, yes, they did, in fact, suffer from a data leak. From the report:
The problem arose from “a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” writes Dongsheng Song, Wyze co-founder and chief product officer, in the company’s post.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query,” he explains. “This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
To Wyze’s credit, it has been very detailed in describing what happened, when, why, how, and what the company is doing about it.
A post by Twelve Security claimed that the leaked data included the following:
Wyze quoted that list in its original post but added, “We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing.”
That, of course, would explain the questionable claim. Why that claim was even inserted into the report is, of course, baffling because it only serves to discredit the whole story in the first place.
As Geekwire points out, one of the big takeaways is, indeed, responsible disclosure. Apparently, the time between the original ticket being submitted and when the story was originally published was approximately 14 minutes. This suggests that someone jumped the gun on this one and published it before the company could even react.
Generally, companies have a ticket queue and it takes time to go through each one. Priorities can be set, but even getting to the ticket would have taken time. For large companies, you ideally need to give them at least 24 hours, possibly 48 hours. If something serious happened, it’s entirely possible that whoever would have the authority to pull a whole database online might not even be around. Who knows? They might have a 2 hour drive ahead of them to get to the office if they don’t have remote connections (hey, we’ve seen security companies suffer from data leaks, so it’s not entirely impossible here).
The fact that false information was thrown in suggests a few possibilities here. One possibility is that whoever made the initial report wanted to pad the story and maximize impact. Another possibility is that every piece of information the person reporting got was posted without thinking how the products in question work. Either that person is new to this whole reporting gig or new to security news. We can think this because these are not mistakes veteran reporters make. Inserting untrue facts into a report and not giving enough time for a company to react to such a story being two of those mistakes.
Another possible scenario is that the original reporter was excited to get this story out there. Any time you get your hands on some pretty big news – especially when you aren’t well known – is incredibly exciting stuff. There’s the promise of a huge surge in traffic and, subsequently, ad revenue. So, holding off responsibly until the company has a chance to react is hard, but required in situations like this. It’s possible emotions got the better of a reporter and the gun was jumped way too early.
Luckily, for the people behind the original disclosure, the company in question is open about all of this. Some companies have, in the past, threatened to sue those that disclose leaks and breaches regardless of how true it is. Others simply ignore the initial reports for weeks on end. Arguably, what happened here is a best case scenario.
The initial disclosure, in all of this, did get some publicity in all of this. The problem at this point is building credibility after this. That did take a hit with how this story was handled. It’s possible that things can heal up in time before all that audience moves on to new things, but it’s going to be a tough hill to climb. One can only hope that lessons have been learned in all of this.
Drew Wilson on Twitter: @icecube85 and Facebook.
