I’m retired but I understand what you’re going thru. The company I worked with had a issue “not cyber related” but demanded all hands on deck as the customers wanted info and the press requests were nonstop. Time of day or night meant nothing and how many hours you’d worked straight thru became a blur. I appreciate the Wyze teams effort as I’ve been there. You want to give answers but you just don’t want to give incomplete answers so you have to wait. Customers (myself included) can be very demanding wanting it NOW! I believe you’ve handled this professionally and appreciate you responding to individuals personally. I’m sure the team is wiped out but won’t stop until it’s complete. I just hope you don’t go 53hrs straight like I did. No fun.
We’re all hands on deck but Wyze hasn’t pushed me into my consistent presence here during this investigation. I love our communities and I understand how concerning the last week has been for folks. I want to do my best to help out.
The data leak situation has been rough but I still think I have the best job ever. Not hard to be genuine when I get to be honest and upfront AND I get to meet so many awesome people in our communities. I’m super lucky.
I’m going to cut off this conversation because I don’t want to derail things.
Yes but, I would have rather that Wyze immediately told us there was a breach and to shut down our devices, until they figured it out. Again, we shouldn’t have to hear about this kind of thing from the news first. Reminds me of what Equifax did.
But the company I worked for heard of our issue from the media also. (Pre internet). We had to figure out exactly what the entire issue was before we could do anything. You clamp down all operations. And you appoint a point person(s) to speak. If you let everyone who is in the know speak it gets convoluted very fast and just adds to more questions, misunderstandings and confusion. They really are handling this well. Better than most companies.
I agree. Equifax waited more than a month to tell anyone. It’s been just under 4.5 days for Wyze, and they found out when everyone else did, the day after Christmas, when it’s likely that very few people were scheduled to be in the office.
The unethical 12Security guy backed them into a corner by alerting the world of the problem before they’d had a chance to fix it, which is an invitation for bad actors to exploit the problem. (This is the whole purpose of “responsible disclosure.”) To be on the safe side, Wyze forced a token refresh on the same day, even before they’d been able to verify anything definitively, just in case anyone did manage to gain access to any accounts.
Wyze confirmed the problem the next day, and continued to give updates here, where it had already been discussed, but it would have been ill-advised for them to amplify the alarm on the problem any further before having the opportunity to do due diligence. It was necessary for them to ensure that they understood the problem fully, so that they could be 100% sure it was completely rectified. Once again, anything else would have been an invitation for bad actors to exploit the problems.
Anyway, this all seems to have happened at lightning speed, in my opinion.
Sure. I’d want to know, too… But I wouldn’t want black-hat hackers to know. And the two go hand-in-hand. If 12Security had practiced responsible disclosure techniques, none of us would have probably found out until now. Despite wanting to know, that would have been the best-case scenario for everyone.
12Security’s cavalier actions made the exposed data even more vulnerable. If Wyze themselves had amplified the alarm before having the opportunity to do due diligence, this would have increased the vulnerability even more, which would be incredibly irresponsible.
Some more information about the security firms you are using for the audit would have been nice, also a lot of claims has not been addressed, eg. breach of certificate chain & why so many wyze servers are located in china, passwords hardcoded in source code, the claim that video feeds can be accessed and so on.
Wyze has a lot of work, to regain trust from many people. It seems they are taking the right steps, but still a lot of information is missing, not only who are helping you right now, but who will help you further on, and what plan for regularly audits you have.
It’s 12/31. Never received an email about the data breach but saw it on my Google newsfeed this evening. Absolutely disgusting that is found out via Google news several days later while my account has been compromised. I see a class action lawsuit in the future. This is unacceptable.
Please can you implement 2FA for phone numbers outside of the US. Even though you do not specifically sell outside of the US people are still able to buy your products on Amazon etc.
I personally don’t live in America and I have 7 of your camera’s and was about to purchase the Wyze Sense pack until I saw the new article about the leak.
I hope you guys get this all straightened out and appreciate the hard work you’re all putting in.
@JDP Another U.K. Wyze customer here. Unfortunately, I imagine they’ll just roll out the old “we don’t support your county” excuse with this, which is now gotten a bit old.
Not only is mobile 2fa widely regarded as a bad implementation of 2fa (This is why you shouldn’t use texts for two-factor authentication - The Verge) the fact that it is only available to specific countries even though the hardware and app is available outside of it, with zero warnings or preventions is annoying at best.
Supported or not, EU data has been transferred outside of the EU, and nothing has been done to account for this. It’s about time that WYZE opens their eyes to the global impact and takes responsibility for the protection of international customers security.
They say security is taken seriously, but I don’t see the evidence; This situation is reactive to poor practices and does not show a proactive stance on data protection.
I think Wyze has done a great job in getting out what information you could, when you could.
Unless new information comes out that contradicts what has already been noted, I plan to continue being a customer and look forward to whatever new products you decide to release.
They’ve said internationalization is in their long-term plans, but there’s a lot that probably goes into that. You seemed to allude to the EU’s data protection laws in your previous post. That’s precisely the kind of thing that requires them to tread carefully before they enter a new market. Right now, they don’t sell in the EU and they don’t have a presence in the EU. Their current EU customers are incidental, and bought the products through third parties. I’m pretty sure Wyze is still small enough that they’re not subject to GDPR, especially since they’re based in the US and have no European presence whatsoever, but if they did start catering overtly to EU customers, they could open up a regulatory can of worms that they may not yet be prepared for.
GDPR does not discriminate on company size, it also doesn’t care about incidental or otherwise. If data is moved outside of the region, it’s subject to the laws. It is the responsibility of the company to recognise this.
A blind-eye approach to customer data protection is not good enough anymore and the GDPR is pretty clear on that. The attitude of “we don’t do the EU” is exactly the stance that worries me about this. If you don’t want to comply, the GDPR demands that you block EU access as we saw with many services and websites when it was introduced. The ICO would 100% be able to take action on this incident if it were bought to their attention.
Wyze is handling the situation pretty good so far, at least transparency is a good start.
Security now needs to be a priority. Fix 2FA for ALL users!!! Beyond stupid to design security features for U.S. customers only when product is available internationally (via Amazon). Fix ASAP and make adequate design decisions!
