Based on everything that Wyze has communicated to us over the last 4 days, and it’s miles more than what other vendors typically do, neither passwords NOR token data has been compromised. Wyze cleared all tokens requiring re-login as a precaution.
I’m in the field, and deal with creating architectures that prevent this from happening. Did Wyze mess up? Yeah, Ideally should have never happened, but inevitably it does, to the best of companies. Is Wyze handling this well? Yeah, extremely.
Again, based on any credible information out there, no new “interesting” data about users made it out to the public and no way to access your accounts. What got out was
- email addresses - I’m positive 100% of these accounts were already on lists of valid email addresses unless someone created a brand new email address specifically to use for Wyze in which case it really wouldn’t matter if it got out since they wouldn’t use it for anything else.
- nicknames - Sure, maybe some people put their first name in there, but again 99% that info was already public. Unless you used your SSN as the nickname for the Wyze account, you’re safe, and even if you did use the SSN, unlikely anyone looking at it would know unless it was “SSN: 999999999”
- camera names - Nice, now they might know that you have a “Garage”.
- the fact that you are a Wyze user - This is in my eyes the biggest piece of data that was leaked, but I just don’t know if it really matters anymore. There is a finite list of big companies with millions of users. If you are a hacker and find a data-set of emails and passwords, you’re probably going to try them in any company you care about, so if Wyze was one of your targets you’d try all emails there and not this specific couple of million emails from a dated dump
- some weight and other related data from a new product Wyze was testing on a very limited set of users - Not a huge deal in my eyes, people who are super concerned with that data coming out wouldn’t have bought a cloud-connected scale, especially in the alpha phase. If this was already a live product with millions of users, that data would have been probably very useful for target advertisements, and would have probably been worth something, but it wasn’t.
So overall, am I concerned? Not the slightest, matter a fact I just purchased another Wyze cam 2 days ago after knowing the details of this “leak”. Use strong and UNIQUE passwords, use 2FA, and don’t put anything you don’t want people to know on the web.
All this fuss about this “leak” is the same things that were going around last year about Nest cam “hacking”, where people reuse passwords, use them on fishy sites (or even legitimate sites, and don’t change them after a leak), hackers get a hold of those passwords, and then log into your camera and scare your kids. Then people say it’s still the companies fault because they don’t somehow check that you reuse passwords. People need to grow up and take responsibility for their security online.
Now hey, if it does come out that more data was accessed, including passwords etc, big whoop. At that point they’ll be sure and send you an email as soon as they know, and if you did your due diligence, you would have had a unique password, and just change your password or if you want create a new account and add all the cameras again.
I don’t understand people who say “oh no, i’m going to throw away these cameras and go somewhere else”. Feel free if that’s what you want to do, but don’t let a single breach be the reason. If this becomes a norm for a company and there are multiple breaches, and you can see that the company isn’t doing anything about it, sure. But if your reason is that there was a breach and now your 1 password you used everywhere is exposed and your life is turned upside down, i’m sorry, the problem is with you, not the company.