Wyze, a Seattle-based company that sells smart appliances, recently addressed concerns over alleged data breaches.
The company sells smart plugs, smart lights, and smart security cameras, some of which could be connected to smart assistants such as Amazon's Alexa and Google Assistant. In response to the security risk, Wyze decided to log out all of their clients' Google Assistant and Alexa accounts from their Wyze devices.
This required users to sign in again to their devices. Additionally, users who employ two-factor authentication were reportedly met with errors when trying to log in. Wyze has since addressed these issues in its community bulletins.
Into the Breach
The news of a breach came from a Medium article by Twelve Security from Texas. Twelve Security claims that Wyze's two Elasticsearch databases have been compromised. The database is said to contain information from more than 2.4 million users. Many of the users affected were from the United States.
Twelve Security also claims that the leak of sensitive information may have been trafficked through Alibaba Cloud servers in China.
Aside from email addresses, the alleged data breach includes specific information on the smart cameras being used at home, account login tokens for users on Android and iOS, camera access tokens on Alexa devices, WiFi SSID, and internal subset layout. The dataset may have also included the weight and height of users, gender, bone health, and protein intake had the users tracked these biometrics on their smart devices.
Twelve Security chose not to notify Wyze about the breach, opting instead to post their findings straight to the internet to make it public.
Damage Control
Wyze has since addressed the alleged data breach. The company posted on their community bulletins detailing the claims, as well as the steps the company has taken to solve the issues.
Wyze claims that they have not found any form of a data breach on their servers, as Twelve Security has claimed. They've also denied any form of involvement with Alibaba Cloud. Regardless, the company thinks it's better to err on the side of caution than to take any more risks. Thus, Wyze decided to require users to reauthenticate their accounts, in addition to strengthening their server security.
Not the First Time
This isn't the first time Wyze faced controversy regarding their handling of their clients' privacy and data security. Earlier this year, users found out that people who bought Wyze cameras second-hand could have had their privacy exposed. The previous owners of the camera could have spied on the new owners through their Alexa accounts. Wyze failed at the time to eliminate a bug that eradicated all Alexa account - Wyze camera association when users have chosen to "forget" the old device. As a result, the Alexa account would continue showing the video feed from the old Wyze camera.
This history of negligence, as well as their suspicion of the company's association with Alibaba Clouds, were the reasons why Twelve Security decided not to let Wyze know of their findings before publishing them to their blog.
Either way, users may want to consider finding alternatives while all the allegations against Wyze aren't clear yet.