SoylentNews

upstart writes in with an IRC submission for Anonymous_Coward:

Wyze Exposes User Data via Unsecured ElasticSearch Cluster:

Smart home tech maker Wyze Labs confirmed that the user data of over 2.4 million of its users were exposed by an unsecured database connected to an Elasticsearch cluster for over three weeks, from December 4 to December 26.

The company discovered the incident after receiving an inquiry from an IPVM reporter via a "support ticket at 9:21 a.m. on December 26," immediately followed by IPVM publishing a piece "at 9:35 a.m" covering the exposed database discovered by security consulting firm Twelve Security.

However, as Dongsheng Song, Wyze's Co-Founder and Chief Product Officer said in a blog post, some of the reported information wasn't accurate.

"We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing," he said in response to Twelve Security's disclosure and IPVM's story. "We did not have a similar breach 6 months ago."

This one impacting @WyzeCam looks pretty serious. Original public disclosure (which looks like it may have been made prematurely) is here: https://t.co/2WKp7siSSihttps://t.co/cnfixxFuTP

— Troy Hunt (@troyhunt) December 27, 2019

[...] Regarding the impact of this security incident, Wyze advises its customers to be wary of future phishing attempts since one ore [sic] more third-parties could have their email addresses.

As a precautionary measure Wyze logged out all users by pushing a token refresh and "added another level of protection to our system databases (adjusted several permission rules and added a precaution to only allow certain whitelisted IPs access databases)."

As a direct result of these measures, all Wyze customers will have to log back in the next time they need to access their accounts and relink their Alexa, Google Assistant, or IFTTT integrations.

Original Submission