[Updated 02-13-20] Data leak 12-26-2019

If you tried to authenticate several times when the 2FA servers were overloaded, then you probably received multiple codes after they finally caught up. :slight_smile:

EDIT: If you continue to receive the codes, then change your password.

I had to set up both of my Wyze cams again. Now I’m unable to share.

I am not using 2FA right now and just needed to login with my current Wyze account password. I did not have to reset it.

No, they were both this morning. I logged in and recieved it from one number. Then changed password, logged back in, I got a code from the other number. I just want to know if they are both numbers used by Wyze to send out codes.

Yes, they are. Multiple numbers are used by the 2FA service.

2 Likes

Please vote for this alternate 2FA feature: Add authenticator app(s) for 2 Factor Authentication (2FA)

3 Likes

Voted! After this scare i think it is important we have this.

Both of my cameras say they’re offline. I’ve tried updating the app, checked internet and power cycled them and I keep getting the error code 90 message.

I have run into this before as well. I would remove the camera from your app and re-add it. Welcome to the community :slight_smile:

Yes, they did. Wyze chose to ignore them until the go public date came. Bad decision!

Unless you get a new phone and forget to login to an app (or 3 ) before resetting your old phone. App won’t accept the 2FA code from the new phone.

1 Like

:joy: you need to keep up, I think you may have missed a few developments.

1 Like

Keep in mind that if this breach is real MFA via an auth app wouldn’t have stopped this.

1 Like

Of course not, but it would absolutely have prevented the DoS created by a 2+ million user base all attempting to login with SMS 2FA. The delay getting back in is 100% a result of the 2FA method chosen and deployed by Wyze.

PS - I really like the company and the hardware; the above comment is not an attack in them, but an effort to properly educate users as to what’s going on.

EDIT: To better articulate the point, had Wyze offered 2FA via an authentication app, everyone here complaining about the SMS issue would not be here complaining about the SMS issue.

4 Likes

Authy is stored safely via a Encryption key and the data stored in their service is only decryptable by your password. This works on a pc, phone or other device. So even if you get a new phone, or forget to login to an app before resetting your old phone, you still have all your 2FA safely stored.

You’re not wrong.

I have Authy on 3 devices, phone, tablet, and PC. Each device is itself protected by biometric security or a physical (Yubi) key, or both. Any device can invalidate another device. Provided you also get past the biometric and physical keys. Much much more secure than an SMS based system.

2 Likes

@WyzeDongsheng

Can you provide any updates?

If the IPVM screenshot is authentic, there is a very real issue here.

  1. Can you confirm/deny that a production database was open to internet/compromised via vulnerability?

  2. what steps are currently being taken by your SecOps teams to ensure that, with everyone legged back in, we are “safe” at this point?

  3. regarding the claims of vulnerable data types, are you able to confirm the data is/was limited to what is claimed? That is - what other info could have been compromised by access to that particular database?

  4. Do you keep other user/device information elsewhere? Is that data salted/hashed?

I’m not asking specifics; I don’t want you to compromise your investigation. But it’s now a day later, and some of the IPVM claims have yet to be directly addressed by Wyze.

5 Likes

This is very concerning… By looking at the 2 leading vendors for open ports/services, the data from 12security/IPVM can be confirmed (that the server WAS open)… collections such as “, wyze-api-server-log-2019-10-05” are listed in the available sets to query on the server when it was available. The question still remains 1) who’s server was it (Wyze, 3rd party, or a faked server). The server is now offline, so if it was Wyze’s server then the answer to “How did this happen” and “we are unsure if it did” should be easy to answer… It’s easy to conifrm based on the server/IP being in AWS… if this was one of your servers or not (it should have taken less then 30 mins to confirm)

Wyze: please clarify your answer of “We are unsure if it did happen”

4 Likes

Well, it appear that, with everyone logged back in, this forum thread is all but dead. Funny that most people’s concern was “I can’t log into the app”; disappointing to see little discussion from the user community re: the allegations of the breach itself, or updated responses to the allegations from Wyze.

Again, I really like the company and products, but the transparency seems a bit disingenuous; for instance, the email last night (sent to the user base, only after someone here asked if an email would be sent) only discussed the 2FA issue - not a single mention as to the allegations that prompted the revocation of tokens that created the 2FA issue in the first place.

@WyzeTeam - you’re doing well here, but this is definitely a teachable moment, and there is room for improvement.

EDIT: typo

4 Likes