NewsNational News


Wyze, maker of smart cameras and home security systems, reports data breach of 2.4 million customers

Posted at 9:42 AM, Dec 30, 2019
and last updated 2019-12-30 10:07:05-05

Wyze Labs, which makes smart cameras and connected home gadgets, has confirmed databases holding millions of customers' information were exposed to the public.

The first data leak exposed customer email addresses, as well as the email addresses of those people who were given permission to view the camera feeds. A list of cameras in customers' home and tokens used to connect to smartphones and personal assistants such as Alexa were also left open for public view. That database was left exposed from Dec. 4 to Dec. 26.

The breach was disclosed on Dec. 26 by Twelve Security and quickly confirmed by Wyze. Twelve Security said the data breach involved 2.4 million customers worldwide. Wyze said no customer passwords or financial information was contained in the database that was left unprotected.

Wyze on Monday said a second database had also been exposed. It did not give details of what information is on that database, although it said it also did not include passwords or financial information.

As part of the response to the original data leak, Wyze logged out their customers and required them to log in again to create new tokens.

Wyze, which was started by three former Amazon employees, makes cameras that cost as little as $20, much less than the hundreds that many competing products cost.

But as smart home devices, such as cameras, become more common, a growing number of hackers have sought to access them. Earlier this month, four families with Ring cameras reported that hackers had accessed their system and talked to them. One told an 8-year-old girl that he was Santa Claus, and urged her to destroy the room.

Ring, which is owned by Amazon, said the system invasion was not the result of a breach or failure of Ring's security. Instead, it said the hackers had likely gained access to the family's account through weak or stolen login credentials.