Smart home device maker Wyze has accidentally exposed a subset of user data that it had copied across to “a more flexible database” for an internal analytics project.
The company - which is best known for its cheap security cameras, though it also manufactures other devices - said it had not been able to confirm that the exposed data had been improperly accessed.
Wyze cameras ship to Australia via third party marketplaces like Amazon and eBay.
The data was left exposed to the public internet between December 4th and December 26th.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc,” the company said in a forum post.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created.
“However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.
“We are still looking into this event to figure out why and how this happened.”
Wyze said that the exposed data “did not involve any of our production data tables”, nor did it contain “user passwords or government-regulated personal or financial information”.
“It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations,” Wyze said.
As a precaution, the company forced all users to log back into their Wyze accounts and generate new API tokens.
It also “unlinked all third party integrations which caused users to relink integrations with Alexa, the Google Assistant, and IFTTT to regain functionality of these services”.
“As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days,” it said.
Wyze apologised to users and said the incident “is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond two-factor authentication.”
