We have completed the initial steps of the internal investigation and are continuing through the process. We wanted to fill you in on what we’re doing in response to the data leak.
Data security will be our top priority over the next few months. Because of that, we will be adjusting our previously expected feature and product roadmap. Here are tasks we are working on internally with the goal of completion over the next few months:
- Independent cyber investigation (investigating how this leak occurred)
- Security assessments and audits by 3rd party security companies (validating our security and privacy environments)
- Penetration tests by independent security companies (authorized simulated cyber attacks to evaluate the effectiveness of our security system)
- Revisiting security settings for each Wyze server
- Reviewing our internal security policies and practices
- Improving security processes, tools, and training across Wyze
This is the beginning of our checklist that we are going to be accountable for and we are open to feedback for items to add to this list.
We are also adding multiple public-facing features that will improve security for our customers in the coming months. We’re in the beginning stages of research for some of these and several will likely take significant changes to our back-end systems. This makes it difficult to give estimated timelines for these high-priority projects. We are continuing to take note of all of the security features you are requesting in the comments and in our Wishlist. Here is the list of features we have prioritized and started researching right now:
- Adding the ability to change account email addresses
- Other methods for multi-factor authentication besides SMS (including an authenticator app)
- Multi-factor authentication to Wyze websites
- Adding a website that will make learning about Wyze security easier and provide a dedicated channel for reporting any potential issues
We welcome further suggestions through the Wishlist. We’ll evaluate this feedback in concert with the recommendations from the security companies we are working with. Our goal is to take steps in the correct order to improve your security.
Thank you for all of your comments so far and we’ll add another update when we have more to report.
Moderator Note: The #wishlist topics for the first three bullet points above can be found at the following links. Please vote and/or comment there.
We have started sending out the email about the data leak to all customers. If you don’t see it now, it should arrive later due to the batching process. Thank you for your patience while we worked through the logistics of this process. Other things that we are currently working on include enhancing our security processes, improving communication of security guidelines to all Wyze employees, and making more of our user-requested security features our top priority for the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.
We have not yet completed our investigation but would like to take the opportunity to answer some questions we have received from the community.
What data was exposed?
Our investigation is still in process but we have confirmed the information contained Wyze nicknames (the optional name change in the Account section of the Wyze app), Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens. We refreshed the Alexa tokens so please re-link your Alexa skill if you have not done so yet. We also refreshed the tokens for The Google Assistant and IFTTT.
The information did not contain passwords, personal financial data, or video files.
Who was affected by the breach?
All users that created an account prior to December 26th, 2019.
Why was there a delay in informing affected customers by email?
We wanted to make sure we locked the door before telling everyone it was open. The delay helped reduce the risk of additional parties finding the leak until we locked things down. We waited to send out an email to the entire Wyze community until we could verify exactly how the data was accessed and could say definitively that no more records were exposed. Also, there are also logistic problems involved with sending so many emails at once that we normally do not encounter. Usually, we only send mass emails to a significantly smaller number of newsletter subscribers.
Are you using data security professionals to investigate this? Devs and executives don’t count.
Yes, we are.
How does Wyze protect customer information overseas?
Wyze is headquartered in Seattle, Washington. The majority of our developers, engineers, and employees are here. We also have a Beijing office which has a team of developers, hardware quality assurance people, and product managers but we do not do any business with China’s markets or government. Our servers are set up so that the production servers (along with the exposed servers and any server that contains customer information) are set up in US-based AWS servers. In China, our Beijing developers use a separate test server which allows them to help test and develop products. These servers are hosted on AWS servers in China and do not contain customer information.
Why did users using two-factor authentication (2FA) receive verification texts from multiple phone numbers?
On December 26th, we expanded our 2FA SMS sending line to multiple lines to help accommodate the volume of requests.
What are we doing about international customers using two-factor authentication (2FA)?
Our 2FA method does not function for many of our international customers due to the differences between phone numbers. We are investigating methods to make this available internationally, but it will require infrastructure changes so we cannot promise an immediate release.
We wanted to give you all an update on the ongoing investigation into the data leak that was reported on 12/26/19.
We have been auditing all of our servers and databases since then and have discovered an additional database that was left unprotected. This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak. We want to thank the Wyze community member who contacted us privately about this shortly after our 12/27 update. Their assistance helped us address this vulnerability quickly that evening.
We are working on an email notification to all affected customers and plan to release it in the near future. To balance thoroughness and speed, we will be sending the information that we have on hand and will provide further updates as we continue forward with our investigation.
Again, we are deeply sorry for this situation. Thank you for your patience as we work through this process. We have been reading through everyone’s comments and are continuing to work together on methods to improve our security and ensure that similar occurrences never happen again.
On December 26th at around 10:00 AM, we received a report of a data leak. We immediately restricted database access and began an investigation.
Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th.
We don’t have all the answers yet, but we wanted to provide an update based on our investigations so far. We will be providing a detailed follow-up once we complete our investigation.
To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.
We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.
The vulnerability started December 4th and did not involve any of our production data tables. While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.
There is no evidence that API tokens for iOS and Android were exposed, but we decided to refresh them as we started our investigation as a precautionary measure. Yesterday evening, we forced all Wyze users to log back into their Wyze account to generate new tokens. We also unlinked all 3rd party integrations which caused users to relink integrations with Alexa, The Google Assistant, and IFTTT to regain functionality of these services. As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days.
Several of the things that have been reported are not true. We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing. We did not have a similar breach 6 months ago.
We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true. We’ve always taken security very seriously, and we’re devastated that we let our users down like this. This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.
For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward. We’ll continue to update you as we make progress.
How does this impact me and what do I do next?
A 3rd party may have your email address. Be aware of spam or a phishing attempt. We’ve logged you out of your Wyze account. You will need to log back in and relink your Alexa, Google Assistant, or IFTTT integrations if you use these services and haven’t done so yet.
Why did you have a second version of your database?
We created this subset of user information in order to perform queries (e.g., number of connected devices, connectivity errors, etc.). Queries such as these are expensive in terms of computer resources and they would have impacted your product experience significantly. For that reason, we created a separate database specifically for processing those heavier requests.
What have you done with the exposed database?
We locked down the database in question before we were able to verify it was exposed. We did this as a precaution because the published article referenced a database connected to “Elasticsearch”: a search tool that we also used on our query database.
It was mentioned that height, weight, gender, bone density, bone mass, daily protein intake, and other health information were leaked. How was this information obtained and who did this affect?
Wyze was beta testing new hardware and some of this information was in the database. We had this information for about 140 external beta testers. We have never collected bone density and daily protein intake and we wish our scale was that cool.
Did Wyze know about this before the article was published and was there a reasonable effort made to contact Wyze so the Wyze team could fix any issues before anything was published?
We were first contacted through a support ticket at 9:21 a.m. on December 26 by a reporter at IPVM.com. The article was published almost immediately after (Published to Twitter at 9:35 a.m.). It was published in conjunction with a blog post from a private security company also published on December 26th. We were made aware of this article at ~10:00 a.m. from a community member who had read the article. As soon as we were aware we took the actions mentioned in our forum post to secure user data.
Original 12-26-19 post
Wyze received a support ticket at 9:21 a.m. Pacific from IPVM about an article they posted about a “massive data breach.” Said article was based on another article published by an anonymous author on the Twelve Security blog, a security consulting company in TX. Wyze became aware of the article around 10:00 a.m. Pacific.
What data was said to have been exposed?
As of yet, we have not been able to confirm a breach of any kind. It is stated by the articles published that the following data was exposed:
- User name and email of those who purchased cameras and then connected them to their home
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app
- API Token for access to user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Password information was not included in the article about the alleged compromise.
What is Wyze doing about it?
Immediately upon hearing about a potential breach, Wyze mobilized the appropriate developers and executives (CEO and CPO) to address the allegations.
Wyze then attempted to verify the breach.
After unsuccessfully trying to verify the breach, at 1:29 p.m., Wyze added another level of protection to our system databases (adjusted several permission rules and added a precaution to only allow certain whitelisted IPs access databases). Wyze also pushed a token refresh to all Wyze users. This means that all Wyze user accounts were logged out and forced to log in again (as a precaution in case user tokens were compromised as alleged in the blog post). Users will also need to relink integrations with The Google Assistant, Alexa, and IFTTT.
These precautions began implementation at 1:29 p.m. Refreshing tokens for the entire Wyze userbase is a process that takes time but this and the above processes were completed around 4:30 p.m. Pacific. As of 5:00 p.m. Pacific, we received word that our 2FA servers have been overloaded by requests and people may have trouble logging in until later. We are working on resolving this issue now. [Edit to say that this was resolved as of 9:00 p.m. Pacific.]
At around 2:30 p.m. Pacific, Wyze attempted to contact the author of the Twelve Security post directly via phone and we received a message that said the number does not accept inbound calls. Wyze then sent an email to Twelve Security at the publicly listed email address.
Wyze is continuing to investigate these claims and will post more information at [Updated 01-06-20] Data leak 12-26-2019 as it becomes available.
What actions should users take?
For now, we have yet to verify a breach. Users can further secure their accounts by changing their passwords and implementing two-factor authentication in the Wyze app (https://support.wyzecam.com/hc/en-us/articles/360024402052-Two-Factor-Authentication).
We will post additional information in the Wyze Forum as it becomes available.
Please direct any questions to firstname.lastname@example.org or comment on the post in the Wyze forum.
How did this happen?
We are unsure if it did happen. We are taking this very seriously and investigating the claims.
Is there validity to the claim that Wyze is sending user data to China?
Wyze does not use Alibaba Cloud. The claim made in the article that we do is false.
Wyze does have official Wyze employees and manufacturing partners in China, but Wyze does not share user data with any government agencies in China or any other country.
Update for the two-factor authentication issue:
12/26/19 9:00 PM PT - We apologize for the delay and appreciate your patience with the difficulty using two-factor authentication. Adjustments to our 2FA service have been made and people running into the invalid phone number error should be able to log into the Wyze app now. If you are still having trouble logging into your app, please contact our customer support team.