[Updated 02-13-20] Data leak 12-26-2019

Thanks, I did re-enable the skill, sign in again and all is fine. I didn’t see where they said they were doing further Alexa token cleanup.
But see… I’ve been generally supportive of Wyze through all of this, posted that support, etc, and this is the kind of thing that’s really annoying. With all of the speculation and and near universal calls from customers on this forum for Wyze to communicate quickly and accurately with it’s users, disabling the skill which effected a bunch of routines and functions without telling me they did it is a bad thing.

1 Like

Wyze, I noticed your two-factor authentication only has option for phone verification code. If an attacker gets a hold of a person’s phone number they can socially engineer a attack with a cell phone provider called sim swapping! Basically your two-factor authentication is outdated and insecure already, please allow to use google authenticator or some other token ASAP!! I’m going to open separate support ticket for this so it can be tracked.

4 Likes

Hey Wyze -
My first knee jerk reaction was: “oh crap - not again!?!” However, I know mistakes happen, and although this one is certainly a… egg on Wyze’s face, sort of thing … that said - mistakes happen.

I’ve not read most of any responses on the board, but from what I read in the email received today was that Wyze has addressed the breach, and investigating. Mean time - no serious information was compromised, correct?

What I really wanted to point out is that with most any breach now days - - you don’t hear about them for SEVERAL MONTHS ! C’mon everyone… we all know, as the saying goes… [censored] “crap” happens. Wyze informed it’s customers within DAYS. :slight_smile:

My comment comes in the form of a commendation:
I commend Wyze for being upfront and honest, and promptly providing us the information.

Thanks Wyze

10 Likes

Wyze said they are going to be reviewing their security policies and I imagine many of these things will be a part of that. Certainly a number of security “best practices” were not being followed and that ultimately led to this situation. It’s a hard lesson for any company to learn, but I’m looking forward to seeing security become more of a priority.

6 Likes

Also my Alexa -Wyze skill shows updated 17 hours ago. That would be about 8:00 PM EDT
Not sure what the update was but mine is still enable.

image

2 Likes

There is a Wishlist item you can vote on asking for app/token-based 2FA:

I imagine this will be a top priority as Wyze implements more security features.

3 Likes

I await Wyze’s response then to this and the security issues implicated in 12Security’s second article.

@thequietman44 Thank you for your detailed reply.

1 Like

Thank you for being open, honest, and transparent about the entire situation. I still have faith in Wyze and I will continue to use and support your products. :relaxed::+1:

1 Like

PLEASE add a different two-factor authentication option (ie Google Authenticator)! Your current method just doesn’t get the job done and has too many holes in it to feel safe using. After the leak, I hope expanding and improving your security options becomes a top priority.

4 Likes

Does anyone else see the irony of WYZE asking us to be watchful for any phishing attempts, yet they implemented one method of phishing, namely the displayed URL does not match the hyperlink when hovering over https://forums.wyze.com/t/updated-12-30-19-data-leak-12-26-2019 in the e-mail they sent?

1 Like

Wow that was a blast from my past! Is this the same GRC of Spinrite fame?

SQRL looks interesting thanks for sharing. Personally I prefer not to use anyone’s single sign on tech. But that’s just my preference.

They use mailchimp (or one of their services), which replaces URL’s with a tracking URL from the mandrillapp domain. But yea, i understands what you are saying. They probably should have turned off click tracking for that email, haha

2 Likes

I’m sorry that this happened to the company but I’m thankful that you’re on top of it and have been updating customers. It’s very scary for customers, hearing the word “breach”, in this case imho it doesn’t seem to be too dire, apart from profile photos (which people share on FB and Insta anyway). I guess it’s time to learn that lesson on enhancing security since there’s always someone out there who wants this type of info.

Thanks again. I for one will keep supporting Wyze. Great products and services at great prices.

1 Like

You have it wrong. It didn’t ‘happen to’ them, they did it to themselves.

2 Likes

how SQRL works is that the server for single sign on hosts the account services

your device PC/MAC/Android/iOS will provide the single sign on info. so its single sign on but in reverse. you own the data.

so the password and account details are not online but on your device

making your account even more secure so that if wize or the service your connecting to gets hacked there is only the basic name and email and link id that will only work with your SQRL app

meaning they have nothing

Yes I have been reading their available info. As I say very interesting and will be good to watch. I just try and avoid having any service as part of my sign in where I can. I trust my security as little as possible to anyone else.

2 Likes

For Sale WYZE Devices
So from Dec. 4th until the 26th everyone’s data was accessible. Bad bad bad. I could understand a fitness tracker company being breached. But my home security devices? I’m out!! I don’t care how sorry you are that is a complete breach in customer trust.
Just so everyone knows all your info is accessible on the dark web if you know how to find breached databases.
Also if anyone reading this has given access to family or friends. Their data is also breached.

1 Like

From the Wyze email that went out this morning:

This will include … making more of our user-requested security features our top priority in the coming months.

The top user requested security features are app-based 2FA and the ability to change email account email address. I expect that these are the features that will be receiving top priority.

5 Likes

I just experienced something very interesting about this ‘data leak’. As suggested I logged into my Wyze account to change my password and all my personal data had ‘leaked’ out - nothing was there! It was a real ‘data leak’. :fearful:

No name
No billing address
No shipping address
No order history
No products
No payment data
Nothing, zero, zilch, nada.

The only thing there was my logon ID (email address) and password. Given that all my Wyze products were purchased directly from Wyze I know the information was there at one time - it had to be or I wouldn’t have the products.

Ironically I could not change my password without entering all the PII which I’m not going to do since having no information out there is orders of magnitude better than having real information to be leaked again.

Tagging @UserCustomerGwen in the hopes she might look into this and provide some insight.

2 Likes