Wyze is one of the many manufacturers of consumer-grade smart devices. They recently confirmed that user data belonging to nearly two and a half million of its customers was exposed. The root cause of the exposure was traced back to an unsecured database connected for nearly a month to an Elasticsearch cluster. This was during a period of time spanning December 4th to December 26th, 2019.
The company did not discover the database on their own. Rather, they were following a tip given to them by a reporter. This was following the developments of security researchers operating out of a company called Twelve Security, who initially discovered the database.The reporter published the article he was writing after contacting the company, but apparently, not in coordination with them.
Having been alerted to the problem, the company took swift action, but in this case, perhaps it was too swift. According to Dongsheng Song, one of the co-founders of the company and its current Chief Product Officer:
“We locked down the database in question before we were able to verify it was exposed. We did this as a precaution because the published article referenced a database connected to ‘Elasticsearch’: a search tool that we also used on our query database.”
As to impacts, it has been confirmed that the database in question contained WiFi SSIDs, customer email addresses and smart device nicknames,.It did not contain passwords or any financial information, so although it’s a serious issue, it’s not as bad as it could have been.
Song also noted in a blog post on the matter that “there is no evidence that API tokens for iOS and Android were exposed, but we decided to refresh them as we started our investigation as a precautionary measure.”
In a nutshell, the handling of this incident was botched and uneven, but it could have been much, much worse. Wyze dodged a bullet, as did the company’s customers.