Security
camera and smart device maker Wyze Labs has confirmed a data breach that left
exposed a database containing information on reportedly 2.4 million of its users.

Wyze Co-founder
Dongsheng Song confirmed the data breach on December 27 and said the exposed
database contained a large amount of personal, product and some medical
information.

• Username
  and email of those who purchased cameras and then connected them to their home.
• Email
  of any user they ever shared camera access with such as a family member.
• List
  of all cameras in the home, nicknames for each camera, device model and
  firmware.
• Wi-Fi
  SSID, internal subnet layout, last on time for cameras, last login time from
  app, last logout time from app.
• API
  Token for access to user account from any iOS or Android device.
• Alexa
  Tokens for 24,000 users who have connected Alexa devices to their Wyze camera.
• Height,
  weight, gender, bone density, bone mass, daily protein intake, and other health
  information for a subset of users.

Song
detailed the chain of events noting the company received notice of the open
database on December 26 when the cybersecurity firm Twelve Security posted news of the
lead.

“In this
case, both the company’s production databases were left entirely open to the
internet. A significant amount of sensitive information generated by 2.4
million users, all coincidentally outside of China, was the result,” Twelve Security
wrote.

Wyze has not
confirmed the number of its customers affected.

The database
itself, which had just been created, was initially set up correctly, but an
employee made an error on December 4 leaving the information exposed, Song said.

“We copied
some data from our main production servers and put it into a more flexible
database that is easier to query. This new data table was protected when it was
originally created. However, a mistake was made by a Wyze employee on December
4th when they were using this database and the previous security protocols for
this data were removed. We are still looking into this event to figure out why
and how this happened,” Song said in a post
on the company’s website.

As an added
precaution Wyze has refreshed its iOS and Android API tokens even though there
is no evidence they were compromised.

The company
is in the process of information those affected but did not say when the
notifications would be sent.

Song
apologized for the breach but defended his company’s overall approach to securing
its products.

“We’ve often
heard people say, “You pay for what you get,” assuming Wyze products are less
secure because they are less expensive. This is not true. We’ve always taken
security very seriously, and we’re devastated that we let our users down like
this,” he said.