Wyze, a U.S. IoT device supplier, publicly acknowledged that its server leaked, affecting nearly 2.4 million customers. The leaked content mainly includes email addresses, nicknames assigned to Wyze webcam, Wi-Fi network SSID identification and other user information. In addition, there are 24,000 users’ Alexa tokens and other content that can connect Wyze devices to Alexa devices.
It is understood that WYZE is an IoT device supplier founded by former Amazon employees in Seattle in July 2017. The main products include security cameras, smart plugs, smart bulbs, and smart door locks. Won the sales champion in the Amazon security and imaging equipment categories.
Wyze said that the reason for the leak was mainly due to the accidental online exposure of its internal Elasticsearch database. Elasticsearch is a technology used to support ultra-fast search queries designed to help the company classify large amounts of user data. The company said that the server was created to help manage Wyze’s rapid growth and to better measure basic business indicators such as device activation and connection failure rates. It is reported that they copied some data from the user server and put it into the Elasticsearch database for easy querying. But not enough attention was paid to its security, which eventually led to tragedy.
The Wyze exec explains:
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.
We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
With the continuous development of technology, more and more IoT devices have begun to flood our lives. They are connected to the Internet at any time. While providing services to users, they will continue to collect user data. Experts believe that it is essential for companies to obtain this data and perform the necessary analysis. However, when obtaining data, user privacy protection and data security should be the first priority!