Wyze Massive Data Leak

By: John Honovich, Published on Dec 26, 2019

Wyze has exposed millions of user's data, as reported by Twelve Security, and confirmed by IPVM, who has spoken with Twelve Security and reviewed the records.

Update 12/27/2019: Wyze has now confirmed the leak.

In the past few years, Wyze's use has exploded as the company has offered an unprecedented combination of super low pricing (~$25 per camera), US marketing and their founder's expertise / experience from Amazon.

Twelve Security found Wyze's Elasticsearch databases publicly exposed, e.g., as the screenshot below demonstrates:

As Twelve Security declared:

both of their entire production databases have been left entirely open to the internet.

With 2.4 million users exposed, concluding that:

If this was intentional espionage or if this was gross negligence it still stands as a malicious action that must be answered with a decisive, external, and fast investigation by US authorities.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

We checked the records and, e.g., found devices and accounts we have used to test Wyze, e.g.:

We reached out to Wyze but have not heard back from them. Moreover, we found no post in Wyze's active forum yet but would expect that to come soon and will update accordingly.

Update 1: this has been shared on the Wyze Forum with Wyze saying they are looking into it: What is up with the data breach? - Ask the Community - Wyze Community

Update @12/26/2019 8:45pm ET: Wyze is calling this an 'alleged data breach' saying that they have not been able to verify it. Below are more examples of a user_id associated with an IPVM employees' Wyze device from this leak:

Update @12/27/2019: Wyze has now confirmed the leak, saying:

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

While Wyze says 'some data', we found at least 40 million records in the leak. [Note: Typically there are many records per user, see our screenshot above of our own leaked records, so 'records' should not be conflated with total 'users'.]

Moreover, the leak was open to the public for more than 3 weeks, only being closed after Twelve Security's post was released.

Wyze concluded:

For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward.

The closest example we have found, in physical security, is Suprema biometric mass leak which similarily exposed Elasticsearch records.

Impact Examined

On the positive side for Wyze, Wyze specializes in serving price-sensitive customers who tend to be less driven by cybersecurity concerns. So long as Wyze can continue to provide that price advantage, we expect their core market to be happy.

On the negative side, Wyze is becoming one of the largest home security providers and will likely and should draw scrutiny from public officials.

The normal tactic for companies in this situation is to say that it was just an error. While it is hard for outsiders to be certain what the cause is, the researcher who found this concluded that "there are clear indications that the data is being sent back to the Alibaba Cloud in China". Moreover, Wyze has extensive PRC China connections include all of its manufacturing done in the PRC.

Update: Wyze's explanation that it had copied millions of user records and left them publicly available for weeks certainly falls under the error category. However, that is a combination of very serious errors that underscores challenges in Wyze's overall cybersecurity. Indeed, Wyze admitted that itself in his response:

This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects

How Wyze revisits and improves its cybersecurity will be an important factor in the company's evolution.

Wyze Challenges Growing

Wyze recently had a very public breakup with their analytics supplier, XNOR.ai, and is being sued by mega-manufacturer JCI. Combined with this massive data leak, Wyze is facing major challenges.

2 reports cite this report:

Stop Blaming Your Employee, Wyze on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Comments (34) : Members only. Login. or Join.

Related Reports

Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...
Free IPVM All Access - Concluded! on Mar 18, 2020
The 2-day event has concluded. Thanks to everyone who accessed the IPVM...
IPVM's 12th Anniversary - Thank You! on Apr 07, 2020
IPVM is proud to celebrate it's 12 anniversary expanding our commitment to...
VergeSense Presents People Tracking Sensor on Jun 04, 2020
VergeSense presented its people tracking sensor and social distancing...
Ivy League Grads Present Percepta Shoplifting Detection on Jun 17, 2020
Ivy League graduates of the University of Pennsylvania presented their...
Euklis Presents AI Analytics on May 05, 2020
Euklis presented its AI facial recognition, LPR, and object recognition...
Genetec Security Center 5.9 Release Examined on Feb 06, 2020
Genetec released the next major version of Security Center, less than a year...
IPConfigure Presents Orchid Fusion VSaaS on Apr 30, 2020
IPConfigure presented Orchid Fusion VSaaS at the April 2020 IPVM New Products...
Startup Calipsa Presents AI False Alarm Filtering on Jul 21, 2020
Calipsa presented its AI false alarm filtering platform at the 2020 IPVM...
IDIS Presents 12MP IR Panoramic Fisheye on May 26, 2020
IDIS presented its 12MP IR panoramic fisheye camera at the April 2020 IPVM...
JCI "Fever Camera" Partners With China TVT on May 19, 2020
Johnson Controls (JCI) is the next big player to get into the 'fever camera'...
Cisco Acquiring Fluidmesh on Apr 09, 2020
Cisco announced it is acquiring niche wireless manufacturer...
IPVM On-Demand Courses on Mar 24, 2020
For nearly a decade, IPVM has been a leader in online live courses. Now, we...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and...
Leica Launches LIDAR / Thermal / IP Camera on Mar 04, 2020
Swiss manufacturer Leica is launching what it calls a "real-time reality...

Recent Reports

Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now - Save $50 Last Chance on Aug 12, 2020
IPVM offers the most comprehensive access control course in the...
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...