If you’re wondering why your Wyze plugs stopped responding to voice commands last night, it’s because the smart home supplier logged everyone out after accusations of a dubious data breach. Details are thin and little has been confirmed, but if you’re using Wyze products, know for now that you’ve been logged out and that you’ll have to reconfigure Alexa skills and Google Assistant integration.
What happened? Well, that part still isn’t entirely clear. An anonymous author on Twelve Security, a supposed security consulting company in Texas, published an article yesterday describing a “massive” data breach for Wyze smart home products. The blog post alleges that Wyze’s production databases were “left entirely open to the Internet” and ultimately leaked loads of sensitive information about the company’s 2.4 million users.
The allegedly leaked information includes the usernames and email addresses of folks who purchased Wyze cameras and connected them to their homes. It also supposedly contains the nicknames for those cameras, email addresses of users who have received shared access, network details such as WiFi SSIDs and subnet layouts, biometric data from a subset of users, and more. It’s worth mentioning that at the very least, user passwords aren’t alleged to be a part of this leak.
Here’s all of the supposedly leaked data:
- User name and email of those who purchased cameras and then connected them to their home
- 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
But here’s the thing: beyond some dubious screenshots, there’s absolutely no proof that any of this is true.
Wyze has responded to these claims in a forum post on its website, and the company says that so far it hasn’t been able to confirm any kind of data breach. Although it can’t confirm a breach has occurred, Wyze logged everyone out of their accounts (in case user tokens were actually compromised as mentioned above). Along with logging back in, you’ll have to relink integrations for smart assistants such as Google and Alexa. Wyze also tweaked some permissions on its databases and is only allowing access from certain whitelisted IP addresses.
Wyze is also trying to communicate with the author of that Twelve Security blog post and the company is waiting on a response via email because the site’s phone number doesn’t accept inbound calls. That’s just one part of how strange this disclosure has been. Twelve Security only has three whole blog posts, one of which accuses Credit Karma of ad fraud, while the other promises to delve into “China’s FBI.” When you Google the security firm’s address (5052 Rogers Road, San Antonio, TX 78251) it just shows an intersection with nothing on it. Hardly confidence-inspiring. The whole thing is beyond questionable.
Separately, another small-time blog called IPVM has published an article claiming proof of the breach, including screenshots of the leaked data. If there has truly been a breach, there were more responsible ways to approach disclosure—the fact that Twelve Security decided to go public instead of contacting the company is just irresponsible. Really, this reads like an attempt at publicity for Twelve Security or an attempt to damage Wyze’s reputation. But again, that’s speculation.
And so far, Wyze hasn’t given us any reason to doubt its transparency. For starters, mass-logging everyone out feels like acknowledgment and that the company is taking this seriously since it will inevitably draw people’s attention to the issue. The company has also been quick to address (and verify) issues in the past. If anything, the legitimacy of these blog posts is questionable—not Wyze’s response or transparency.
For now, what we can say for sure is that this is unfortunate timing, both for everyone who just purchased and set up their new smart home gear for Christmas, and probably for Wyze, which is likely working with limited staff at the moment given that holiday vacations are in full swing.