Smart camera maker, Wyze Labs, announced a series of data leaks and breaches last December 2019. The first data leak was confirmed on December 26, 2019. Meanwhile, the second breach was acknowledged last December 30, 2019.
Wyze Labs is responsible for making smart cameras and connected home gadgets. Their current list of products includes connected bulbs and plugs. These connected gadgets can be linked and integrated with smart home assistants, such as Alexa and Google Assistant.
According to CNN, the first leak happened from a span of December 4 to December 26, 2019. The leak was blamed on an exposed database, revealing millions of personal information.
The first compromised database included customer emails, camera nicknames, and WiFi Service Set Identifiers (SSIDs). In addition to this information, the database contained device information and body metrics.
CNN revealed that customer email addresses, as well as email addresses of individuals allowed to view the feed, were compromised. Cameras and tokens were also made vulnerable to the public.
Based on the article by Threatpost, Twelve Security, a Texas-based consulting firm, alerted the smart camera maker.
On Monday, December 31, Wyze Labs disclosed another similar incident. In the second data leak, another database had allegedly been left exposed. Despite remaining exposed for a long period, the database did not contain passwords and financial information, notes CNN.
In a statement to the public, Wyze Labs apologized for the incident. To clarify, a blog post by Wyze said they “recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.”
Wyze continues to say that “This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data was removed.”
To address the incident, the firm issued actions that immediately forced users out of their accounts. This allows users to “log back into their Wyze account to generate new tokens.”
Another step taken by the company is unlinking third-party applications and integrations. A reboot will also be issued by the smart cam maker in the next few days, reports Threatpost. The reboot will also come with improved camera features.
The data breach resulted in approximately 2.4 million affected users. However, the smart maker company failed to issue a specific number, says Threatpost.