Internet of Things Vendor Wyze confirmed that it suffered a data breach earlier this month that may have exposed details of 2.4 million users for 22 days. The U.S.-based startup sells IoT devices like security cameras, smart lightbulbs, smart door locks, smart plugs, and other smart home devices.
According to Dongsheng Song, co-founder of Wyze, the breach occurred after an internal database was accidentally exposed online. The exposed database was an Elasticsearch server that stored users’ personal information.
The issue came to light after researchers from cybersecurity firms Twelve Security and IPVM discovered and reported the incident to Wyze.
“We have been auditing all our servers and databases since then and have discovered an additional database that was left unprotected. This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak,” Dongsheng Song said in a statement.
Weeks-Long Data Breach
It’s believed that the leaky database exposed information from December 4 to December 26, when an employee failed to maintain security protocols during the data transfer process. The exposed information included email addresses, body metrics, nicknames users assigned to their Wyze security cameras, Wi-Fi network SSID identifiers, and Wi-Fi network IDs. However, Wyze clarified that no passwords or financial information were exposed in the incident.
Wyze stated it’s notifying the affected users about the security incident. “We are working on an email notification to all affected customers and plan to release it soon. To balance thoroughness and speed, we will be sending the information that we have on hand and will provide further updates as we continue forward with our investigation,” Song said.
Keeping users’ personal information secure continues to be a risky task for database administrators. This is not the first Elasticsearch servers leak. Multiple security incidents were reported on Elasticsearch servers earlier. Recently, security researchers Bob Diachenko and Vinny Troia disclosed an open Elasticsearch server that contained unique data records of around 1.2 billion users. The leaky server stored more than 4 terabytes of data, without password protection or authentication.
The exposed data included names, email addresses, phone numbers, LinkedIn and Facebook profile information. It’s believed that the exposed data appeared to have originated from two different data enrichment companies namely People Data Labs (PDL) and OxyData.Io (OXY).