[TECH TALK] Popular Wyze Security Camera Exposed Customer Data Through Unsecured Database

Seattle based Wyze Labs, maker of the popular and inexpensively priced security cams, exposed approximately 2.4 million customers information through an improperly secured database. Wyze did quickly notify customers on their forum and then sent a detailed explanation via email to their affected customers. They noted the types of data exposed and how the events transpired. The company said that no passwords of financial data were exposed.

Unfortunately, both large and small companies are still prone to mistakes in both securing and auditing their customer databases. Wyze forced a reset of all passwords, but their 2FA servers were temporarily overwhelmed and out for several hours. The company also refreshed tokens for third party assistants like Alexa, Google Assistant, and IFTTT.

What data was exposed?

“Our investigation is still in process, but we have confirmed the information contained Wyze nicknames (the optional name change in the Account section of the Wyze app), Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens. We refreshed the Alexa tokens, so, please re-link your Alexa skill if you have not done so yet. We also refreshed the tokens for The Google Assistant and IFTTT. The information did not contain passwords, personal financial data, or video files.”

Wzye Community Forum Notice

Update: Amazon notifies affected WYZE customers in email.

Dear valued Alexa smart home customer,

Customer trust and the security of your account is a top priority. We are contacting you because you previously had the Wyze skill enabled on your Alexa account. Recently, Wyze, a third-party camera company, announced that a subset of their data was not secured properly. The company notified us that a limited number of Amazon Alexa tokens, which are used to connect Wyze devices to Alexa, may have been exposed due to the reported misconfiguration of their database.

Wyze has secured the databases in question and taken the precautionary measure of unlinking customers’ Wyze skill for Alexa, which made the exposed tokens invalid.

Wyze does not receive or store any other Amazon account information, and the tokens that were exposed by the misconfigured Wyze databases cannot be used by a third party to access Amazon accounts, stream video from Alexa-enabled devices, or gain access to other devices connected to Alexa accounts.
To continue to use your Wyze device(s) with Alexa, you will need to make sure the Wyze skill is enabled. Please follow these steps to re-enable the Wyze skill if necessary:

1. Open the Alexa app, and search for the Wyze skill in the ‘Skills & Games’ section of the Alexa app, or click: https://alexa.amazon.com/spa/index.html#skills/dp/B07FKZD276/?ref=skill_dsk_skb_sr_0&qid=1577726183 
2. Enable the Wyze skill
3. Authenticate your Wyze account

Should you have questions or concerns, please visit the Wyze website or contact their customer service directly to learn more about this issue.

Sincerely,
Customer Service


Featured Webinars


Advanced Phishing and
Training

Monday 1:30 PM – 2:30 PM
» Learn More
Outlook Phish Alert Button
Tuesday 1:30 PM – 2:30 PM
» Learn More
Customizing Phishing Templates, Landing Pages, & Training Notifications
Wednesday 1:30 PM – 2:30 PM
» Learn More
Active Directory Integration
(ADI) Setup

Thursday 1:30 PM – 2:30 PM
» Learn More
Gold/Platinum/Diamond
Features

Friday 1:30 PM – 2:30 PM
» Learn More

Privacy Policy | Terms of Service