Wyze Massive Data Leak

By John Honovich, Published on Dec 26, 2019

Wyze has exposed millions of user's data, as reported by Twelve Security, and confirmed by IPVM, who has spoken with Twelve Security and reviewed the records.

Update 12/27/2019: Wyze has now confirmed the leak.

In the past few years, Wyze's use has exploded as the company has offered an unprecedented combination of super low pricing (~$25 per camera), US marketing and their founder's expertise / experience from Amazon.

Twelve Security found Wyze's Elasticsearch databases publicly exposed, e.g., as the screenshot below demonstrates:

As Twelve Security declared:

both of their entire production databases have been left entirely open to the internet.

With 2.4 million users exposed, concluding that:

If this was intentional espionage or if this was gross negligence it still stands as a malicious action that must be answered with a decisive, external, and fast investigation by US authorities.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

We checked the records and, e.g., found devices and accounts we have used to test Wyze, e.g.:

We reached out to Wyze but have not heard back from them. Moreover, we found no post in Wyze's active forum yet but would expect that to come soon and will update accordingly.

Update 1: this has been shared on the Wyze Forum with Wyze saying they are looking into it: What is up with the data breach? - Ask the Community - Wyze Community

Update @12/26/2019 8:45pm ET: Wyze is calling this an 'alleged data breach' saying that they have not been able to verify it. Below are more examples of a user_id associated with an IPVM employees' Wyze device from this leak:

Update @12/27/2019: Wyze has now confirmed the leak, saying:

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

While Wyze says 'some data', we found at least 40 million records in the leak. [Note: Typically there are many records per user, see our screenshot above of our own leaked records, so 'records' should not be conflated with total 'users'.]

Moreover, the leak was open to the public for more than 3 weeks, only being closed after Twelve Security's post was released.

Wyze concluded:

For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward.

The closest example we have found, in physical security, is Suprema biometric mass leak which similarily exposed Elasticsearch records.

Impact Examined

On the positive side for Wyze, Wyze specializes in serving price-sensitive customers who tend to be less driven by cybersecurity concerns. So long as Wyze can continue to provide that price advantage, we expect their core market to be happy.

On the negative side, Wyze is becoming one of the largest home security providers and will likely and should draw scrutiny from public officials.

The normal tactic for companies in this situation is to say that it was just an error. While it is hard for outsiders to be certain what the cause is, the researcher who found this concluded that "there are clear indications that the data is being sent back to the Alibaba Cloud in China". Moreover, Wyze has extensive PRC China connections include all of its manufacturing done in the PRC.

Update: Wyze's explanation that it had copied millions of user records and left them publicly available for weeks certainly falls under the error category. However, that is a combination of very serious errors that underscores challenges in Wyze's overall cybersecurity. Indeed, Wyze admitted that itself in his response:

This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects

How Wyze revisits and improves its cybersecurity will be an important factor in the company's evolution.

Wyze Challenges Growing

Wyze recently had a very public breakup with their analytics supplier, XNOR.ai, and is being sued by mega-manufacturer JCI. Combined with this massive data leak, Wyze is facing major challenges.

2 reports cite this report:

Stop Blaming Your Employee, Wyze on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Comments (34) : Members only. Login. or Join.

Related Reports

Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...
Startup Calipsa Presents AI False Alarm Filtering on Jul 21, 2020
Calipsa presented its AI false alarm filtering platform at the 2020 IPVM...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Wyze Fails To Deliver Own On-Board Analytics, Launches Novel Name Your Own Price Service on Jul 24, 2020
While Wyze failed to deliver their own onboard analytics to replace the...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
IPVM Editorial Staff on Aug 01, 2020
IPVM has the largest and most experienced editorial team covering video...
UN Agency Buys 'Swiss' Fever Cams From Firm That Faked Accreditation, Sales, Marketing on Oct 06, 2020
A Swiss company claims to have "fully designed and manufactured" the world's...
Ivy League Grads Present Percepta Shoplifting Detection on Jun 17, 2020
Ivy League graduates of the University of Pennsylvania presented their...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Camect Presents Residential Market Smart NVR with AI Analytics on Aug 19, 2020
Camect presented its AI video analytics enhanced NVR at the May 2020 IPVM...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
VergeSense Presents People Tracking Sensor on Jun 04, 2020
VergeSense presented its people tracking sensor and social distancing...
Startup Actuate Presents AI Threat Detection on Aug 18, 2020
Actuate presented its AI threat detection offering at the 2020 IPVM Startups...

Recent Reports

Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic presented its i-PRO X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...
Clorox Announces, Then Pulls, Fever Camera on Oct 15, 2020
For almost one week, Clorox was marketing fever cameras. The booming...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Directory of 211 "Fever" Camera Suppliers on Oct 14, 2020
This directory provides a list of "Fever" scanning thermal camera providers...